yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1481883] Re: Glance not honoring context_is_admin in policy.json

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ian Cordasco <icordasc+launchpad@xxxxxxxxxx>
Date: Thu, 06 Aug 2015 03:04:15 -0000
Reply-to: Bug 1481883 <1481883@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The intended usage is to do

    "get_images": "rule:context_is_admin",

Please read the documentation provided by glance and oslo.policy for
this.

** Changed in: glance
       Status: New => Invalid

** Changed in: glance
     Assignee: David J Hu (david-j-hu) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1481883

Title:
  Glance not honoring context_is_admin in policy.json

Status in Glance:
  Invalid

Bug description:
  glance/etc/policy.json has the following definition

  1 {
  2     "context_is_admin":  "role:admin",

  {omitted}

  However, to demonstrate the problem, if I change the following

  {omitted}

  8     "get_images": "",

  to

  8     "get_images": "is_admin:True",

  {omitted}

  Running "glance image-list" as an admin returns the following error, which tells me that context_is_admin isn't working.
  403 Forbidden: Access was denied to this resource. (HTTP 403)

  Further code analysis revealed that the the glance policy Enforcer has
  a check_is_check(...) method defined, but the logic behind Enforcer
  check(...) method is not taking advantage of it.

  Fix proposal to follow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1481883/+subscriptions

References

[Bug 1481883] [NEW] Glance not honoring context_is_admin in policy.json
From: David J Hu, 2015-08-05