[openstack-dev] Glance Image Protection Policy

Adam Young ayoung at redhat.com
Thu Jul 2 16:21:50 UTC 2015

On 07/02/2015 03:10 AM, masoom alam wrote:
> Hi every one,
> The glance policy.json allows specific users/roles to download an 
> image. If we apply a policy on a specific role, only that role can 
> download and/or boot an image.
> What if we want to restrict downloading an image, but at the same time 
> allowing the user to boot it via nova boot. The catch is that we will 
> have to restrict the user from taking the snapshot right? Can glance 
> can differentiate between user downloading an image and nova doing the 
> same on the behalf of a user.
No, as it is done with a token.  The token is passed to nova, and nova 
passes it to glance to perform the action.

If snapshot is a different API call than download, then you apply a 
different role for each, and make sure that tokens passed ot Nova do not 
have the "snapshot" role in it.

It is issues like this that are making me try to drive the Dynamic 
Policy effort in Keystone.

My initial write up is here:


And the wiki is here:


I'd love to have your input on the process.

> OR how to solve the puzzle, please guide.
> Thanks
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150702/a14a1193/attachment.html>

More information about the OpenStack-dev mailing list