Glance policy and image owner

Bug #1790446 reported by Ben O'Hara
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Glance
New
Undecided
Unassigned

Bug Description

Trying to restrict glance to only allow editing/deleting a tenants own images.

According the the docs, this should work.

    "is_owner": "tenant:%(owner)s",
    "modify_image": "rule:is_owner",
    "delete_image": "rule:is_owner",

However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches!

With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it.

How are you meant to restrict actions to the owner of an image?

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

> With the default policy, a normal user is able to edit/delete public images that they dont own.

This is very unlikely. Are you sure you are using the default policy file?

> If the public image is set as 'protected' they cant delete it.

This is true for any image independently of its visibility.

> How are you meant to restrict actions to the owner of an image?

You don't have to do anything! The way Glance operates is that a non-admin user cannot access images which are in a project different from that user's project. The only way a non-admin user can access images in another project is to have a keystone administrator make that user a member of that other project.

So for example, in the default policy file we have:

  "delete_image": ""

That means that ANY user can make a delete-image call ... but this does NOT mean that ANY user can delete ANY image. You can still only delete those images that are owned by a project that you are a member of.

An administrator can access all the images in Glance. The way you make someone an administrator is to give them the role or roles that are recognized by the "context_is_admin" policy target in the Glance policy file and then using "is_admin: True" in later policy definitions.

By the way, I suspect that the documentation is incorrect. I think the is_owner rule would have to be defined as

  "is_owner": "owner:%(owner)s"

BUT -- you DO NOT NEED an "is_owner" rule to restrict "modify_image" and "delete_image" -- they are restricted to the image owner or a Glance administrator *in the code*.

Changed in glance:
status: New → Invalid
Revision history for this message
Rajiv Mucheli (rajiv.mucheli) wrote :

Hi Brian,

Could you please share the code details (starting ussuri release policy is moved into code) ? would the below be implementation not required, if the owner restrictions are in the code ?

    "context_is_cloud_admin": "role:cloud_image_admin",
    "context_is_admin": "rule:context_is_cloud_admin",
    "is_owner": "project_id:%(is_owner)s",
    "member": "role:member and rule:is_owner",
    "admin": "role:image_admin and rule:is_owner",
    "viewer": "role:image_viewer and rule:is_owner",
    "context_is_image_admin": "rule:context_is_admin or rule:admin",
    "context_is_editor": "rule:context_is_image_admin or rule:member",
    "context_is_viewer": "rule:context_is_editor or rule:viewer",

i get HTTP 403 for get_image, get_images, download_image with the above policy rules, it works well if is_owner is removed.

Changed in glance:
status: Invalid → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.