← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1629396] [NEW] create images requires admin role ignoring policy.json

 

Public bug reported:

Setup a default OpenStack environment using keystone's sample_data.sh
This gives user "glance" the "_member_" role for project "service".
Couple this with a policy.json containing the following:

  {
    "context_is_admin":  "role:admin",
    "default": "",

    "add_image": "",
    "delete_image": "",
    .
    .
  }


If you attempt to create a new image as "glance" user it fails with following error:

   403 Forbidden: You are not authorized to complete this action. (HTTP
403)

Delving into the code you can see is_admin is enforced:

 api/authorization.py:new_image():

     if not self.context.is_admin:
         if owner is None or owner != self.context.owner:
             message = _("You are not permitted to create images "
                         "owned by '%s'.")
             raise exception.Forbidden(message % owner)


Thus indicating that the user creating images must have "admin" role for this project.

However this same user can successfully delete images, as delete uses
policy enforcement only and adheres to whatever is defined within
policy.json:

  api/policy.py:delete():

      def delete(self):
          self.policy.enforce(self.context, 'delete_image', self.target)
          return self.image.delete()


This seems inconsistent, image creation should probably use policy enforcement and not have a hard coded requirement for admin role.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1629396

Title:
  create images requires admin role ignoring policy.json

Status in Glance:
  New

Bug description:
  Setup a default OpenStack environment using keystone's sample_data.sh
  This gives user "glance" the "_member_" role for project "service".
  Couple this with a policy.json containing the following:

    {
      "context_is_admin":  "role:admin",
      "default": "",

      "add_image": "",
      "delete_image": "",
      .
      .
    }

  
  If you attempt to create a new image as "glance" user it fails with following error:

     403 Forbidden: You are not authorized to complete this action.
  (HTTP 403)

  Delving into the code you can see is_admin is enforced:

   api/authorization.py:new_image():

       if not self.context.is_admin:
           if owner is None or owner != self.context.owner:
               message = _("You are not permitted to create images "
                           "owned by '%s'.")
               raise exception.Forbidden(message % owner)

  
  Thus indicating that the user creating images must have "admin" role for this project.

  However this same user can successfully delete images, as delete uses
  policy enforcement only and adheres to whatever is defined within
  policy.json:

    api/policy.py:delete():

        def delete(self):
            self.policy.enforce(self.context, 'delete_image', self.target)
            return self.image.delete()

  
  This seems inconsistent, image creation should probably use policy enforcement and not have a hard coded requirement for admin role.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1629396/+subscriptions


Follow ups