yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1790446] Re: Glance policy and image owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Rosmaita <rosmaita.fossdev@xxxxxxxxx>
Date: Mon, 18 Mar 2019 14:36:44 -0000
Reply-to: Bug 1790446 <1790446@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

> With the default policy, a normal user is able to edit/delete public
images that they dont own.

This is very unlikely.  Are you sure you are using the default policy
file?

> If the public image is set as 'protected' they cant delete it.

This is true for any image independently of its visibility.

> How are you meant to restrict actions to the owner of an image?

You don't have to do anything!  The way Glance operates is that a non-
admin user cannot access images which are in a project different from
that user's project.  The only way a non-admin user can access images in
another project is to have a keystone administrator make that user a
member of that other project.

So for example, in the default policy file we have:

  "delete_image": ""

That means that ANY user can make a delete-image call ... but this does
NOT mean that ANY user can delete ANY image.  You can still only delete
those images that are owned by a project that you are a member of.

An administrator can access all the images in Glance.  The way you make
someone an administrator is to give them the role or roles that are
recognized by the "context_is_admin" policy target in the Glance policy
file and then using "is_admin: True" in later policy definitions.

By the way, I suspect that the documentation is incorrect.  I think the
is_owner rule would have to be defined as

  "is_owner": "owner:%(owner)s"

BUT -- you DO NOT NEED an "is_owner" rule to restrict "modify_image" and
"delete_image" -- they are restricted to the image owner or a Glance
administrator *in the code*.


** Changed in: glance
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1790446

Title:
  Glance policy and image owner

Status in Glance:
  Invalid

Bug description:
  Trying to restrict glance to only allow editing/deleting a tenants own
  images.

  According the the docs, this should work.

      "is_owner": "tenant:%(owner)s",
      "modify_image": "rule:is_owner",
      "delete_image": "rule:is_owner",

  However, with this set, no user can then delete/modify images, as if
  the 'is_owner' rules never matches!

  With the default policy, a normal user is able to edit/delete public
  images that they dont own.  If the public image is set as 'protected'
  they cant delete it.

  How are you meant to restrict actions to the owner of an image?

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1790446/+subscriptions

References

[Bug 1790446] [NEW] Glance policy and image owner
From: Ben O'Hara, 2018-09-03