yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #58009
[Bug 1629396] Re: create images requires admin role ignoring policy.json
Set the invalid due to no response for long time and can't reproduce.
Please restart if there is any update.
** Changed in: glance
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1629396
Title:
create images requires admin role ignoring policy.json
Status in Glance:
Invalid
Bug description:
Setup a default OpenStack environment using keystone's sample_data.sh
This gives user "glance" the "_member_" role for project "service".
Couple this with a policy.json containing the following:
{
"context_is_admin": "role:admin",
"default": "",
"add_image": "",
"delete_image": "",
.
.
}
If you attempt to create a new image as "glance" user it fails with following error:
403 Forbidden: You are not authorized to complete this action.
(HTTP 403)
Delving into the code you can see is_admin is enforced:
api/authorization.py:new_image():
if not self.context.is_admin:
if owner is None or owner != self.context.owner:
message = _("You are not permitted to create images "
"owned by '%s'.")
raise exception.Forbidden(message % owner)
Thus indicating that the user creating images must have "admin" role for this project.
However this same user can successfully delete images, as delete uses
policy enforcement only and adheres to whatever is defined within
policy.json:
api/policy.py:delete():
def delete(self):
self.policy.enforce(self.context, 'delete_image', self.target)
return self.image.delete()
This seems inconsistent, image creation should probably use policy enforcement and not have a hard coded requirement for admin role.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1629396/+subscriptions
References
