yahoo-eng-team team mailing list archive

[Rajiv Mucheli <1790446@xxxxxxxxxxxxxxxxxx>]

Hi Brian,

Could you please share the code details (starting ussuri release policy
is moved into code) ? would the below be implementation not required, if
the owner restrictions are in the code ?

    "context_is_cloud_admin": "role:cloud_image_admin",
    "context_is_admin": "rule:context_is_cloud_admin",
    "is_owner": "project_id:%(is_owner)s",
    "member": "role:member and rule:is_owner",
    "admin": "role:image_admin and rule:is_owner",
    "viewer": "role:image_viewer and rule:is_owner",
    "context_is_image_admin": "rule:context_is_admin or rule:admin",
    "context_is_editor": "rule:context_is_image_admin or rule:member",
    "context_is_viewer": "rule:context_is_editor or rule:viewer",

i get HTTP 403 for get_image, get_images, download_image with the above
policy rules, it works well if is_owner is removed.

** Changed in: glance
       Status: Invalid => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1790446

Title:
  Glance policy and image owner

Status in Glance:
  New

Bug description:
  Trying to restrict glance to only allow editing/deleting a tenants own
  images.

  According the the docs, this should work.

      "is_owner": "tenant:%(owner)s",
      "modify_image": "rule:is_owner",
      "delete_image": "rule:is_owner",

  However, with this set, no user can then delete/modify images, as if
  the 'is_owner' rules never matches!

  With the default policy, a normal user is able to edit/delete public
  images that they dont own.  If the public image is set as 'protected'
  they cant delete it.

  How are you meant to restrict actions to the owner of an image?

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1790446/+subscriptions