Glance policy and image owner
Bug #1790446 reported by
Ben O'Hara
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
New
|
Undecided
|
Unassigned |
Bug Description
Trying to restrict glance to only allow editing/deleting a tenants own images.
According the the docs, this should work.
"is_owner": "tenant:%(owner)s",
"modify_image": "rule:is_owner",
"delete_image": "rule:is_owner",
However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches!
With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it.
How are you meant to restrict actions to the owner of an image?
To post a comment you must log in.
> With the default policy, a normal user is able to edit/delete public images that they dont own.
This is very unlikely. Are you sure you are using the default policy file?
> If the public image is set as 'protected' they cant delete it.
This is true for any image independently of its visibility.
> How are you meant to restrict actions to the owner of an image?
You don't have to do anything! The way Glance operates is that a non-admin user cannot access images which are in a project different from that user's project. The only way a non-admin user can access images in another project is to have a keystone administrator make that user a member of that other project.
So for example, in the default policy file we have:
"delete_image": ""
That means that ANY user can make a delete-image call ... but this does NOT mean that ANY user can delete ANY image. You can still only delete those images that are owned by a project that you are a member of.
An administrator can access all the images in Glance. The way you make someone an administrator is to give them the role or roles that are recognized by the "context_is_admin" policy target in the Glance policy file and then using "is_admin: True" in later policy definitions.
By the way, I suspect that the documentation is incorrect. I think the is_owner rule would have to be defined as
"is_owner": "owner:%(owner)s"
BUT -- you DO NOT NEED an "is_owner" rule to restrict "modify_image" and "delete_image" -- they are restricted to the image owner or a Glance administrator *in the code*.