<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
I've run into an issue regarding policies with Glance on the Ocata
release.<br>
Essentially, I'd like to restrict the actions of listing images and
viewing/editing their details to either members of the same project
or the global admin. Since all policies are empty strings by
default, I tried the following edit:<br>
<br>
<blockquote>
<pre wrap="">{
"context_is_admin": "role:admin",
"default": "role:admin",
"admin_or_owner": "is_admin:True or project_id:%(project_id)s",
"add_image": "",
"delete_image": "",
"get_image": "admin_or_owner",
"get_images": "admin_or_owner",
"modify_image": "admin_or_owner",
"publicize_image": "role:admin",
"communitize_image": "",
...
</pre>
</blockquote>
The result was that nobody (including the global admin!) could list
images anymore. An "<tt>openstack image list</tt>" command would
always result in a "<tt>403 Forbidden</tt>" error.<br>
Also, retrieving a single image's info via a user from the same
project was also impossible. An "<tt>openstack image show
<image_id></tt>" would simply output "<tt>403 Forbidden You
are not authorized to compelte get_images action</tt>".<br>
<br>
From the policies as quoted above I would have expected the global
admin as well as any project member being able to list and show
images without problems.<br>
<br>
Editing 2 lines in above policy definition:<br>
<blockquote>
<pre wrap=""> ...
"get_images": "",
"modify_image": "",
...
</pre>
</blockquote>
resulted in another weird behavior. With those adjustments, an "<tt>openstack
image list</tt>" or "<tt>openstack image show <image_id></tt>"
on the command line executed as the global admin succeeded. On the
dashboard (Horizon) on the other hand, only listing them was
possible. Trying to display their details resulted in an error.<br>
<br>
<br>
<br>
Digging through the logs and code, I stumbled on an image target
object that is inspected for the policy enforcement, see here:
<a class="moz-txt-link-freetext" href="https://github.com/openstack/glance/blob/57c4d7d78f37e840660719b944ebabe91cbf231b/glance/api/policy.py#L109">https://github.com/openstack/glance/blob/57c4d7d78f37e840660719b944ebabe91cbf231b/glance/api/policy.py#L109</a><br>
<br>
Hacking the code to put some more debugging output into the logs, I
peeked into this "<tt>ImageTarget(image)</tt>" object, which also
contains a "<tt>.target.</tt><tt>context</tt>" attribute wrapped
into it. Although this "<tt>context</tt>" attribute does contain
seemingly relevant user data, its contents <u>do actually differ
depending on the logged in user</u>.<br>
<br>
My interpretation was that the context of the image target should be
static (representing the owner/project it actually belongs to) and
that this is in turn matched against the dynamic "<tt>self.context</tt>"
dict (representing currently logged in user) according to the
policies defined, something along the lines of:<br>
<blockquote><tt>self.context (e.g. project_id) ---[policy check
against]---> ImageTarget(image) (e.g. project_id)</tt><br>
</blockquote>
However "<tt>ImageTarget(image)</tt>" seems to contain context that
is not actually related to the image but differs per logged in user.<br>
<br>
<br>
Did I misinterpret the policy definitions and/or the code related to
it?<br>
How are policies like these actually supposed to be defined in
Glance?<br>
<br>
<br>
<br>
Kind regards,<br>
<br>
Markus Hentsch<br>
Cloud&Heat Technologies<br>
</body>
</html>