Glance has a separate policy rule (publicize_image) for creating/updating public images., and you should define that policy rule instead of modify_image. https://docs.openstack.org/glance/xena/admin/policies.html ~~~ publicize_image - Create or update public images ~~~ AFAIK The modify_image policy defaults to rule:default and is allowed for any users as long as the target image is owned by that user. On Tue, Jun 14, 2022 at 2:01 PM Adivya Singh <adivya1.singh@gmail.com> wrote:
Hi Brian,
Please find the response
1> i am using Xena release version 24.0.1
Now the scenario is line below, my customer wants to have their login access on setting up the properties of an image to the public. now what i did is
1> i created a role in openstack using the admin credential name as "user" 2> i assigned that user to a role user. 3> i assigned those user to those project id, which they want to access as a user role
Then i went to Glance container which is controller by lxc and made a policy.yaml file as below
root@aio1-glance-container-724aa778:/etc/glance# cat policy.yaml
"modify_image": "role:user"
then i went to utility container and try to set the properties of a image using openstack command
openstack image set --public <image id>
and then i got this error
HTTP 403 Forbidden: You are not authorized to complete publicize_image action.
Even when i am trying the upload image with this user , i get the above error only
export OS_ENDPOINT_TYPE=internalURL export OS_INTERFACE=internalURL export OS_USERNAME=adsingh export OS_PASSWORD='adsingh' export OS_PROJECT_NAME=adsingh export OS_TENANT_NAME=adsingh export OS_AUTH_TYPE=password export OS_AUTH_URL=https://<Internal IP of horizon>:5000/v3 export OS_NO_CACHE=1 export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_REGION_NAME=RegionOne
Regards Adivya Singh
On Mon, Jun 13, 2022 at 6:41 PM Alan Bishop <abishop@redhat.com> wrote:
On Mon, Jun 13, 2022 at 6:00 AM Brian Rosmaita < rosmaita.fossdev@gmail.com> wrote:
On 6/13/22 8:29 AM, Adivya Singh wrote:
hi Team,
Any thoughts on this
H Adivya,
Please supply some more information, for example:
- which openstack release you are using - the full API request you are making to modify the image - the full API response you receive - whether the user with "role:user" is in the same project that owns the image - debug level log extract for this call if you have it - anything else that could be relevant, for example, have you modified any other policies, and if so, what values are you using now?
Also bear in mind that the default policy_file name is "policy.yaml" (not .json). You either need to provide a policy.yaml file, or override the policy_file setting if you really want to use policy.json.
Alan
cheers,
brian
Regards Adivya Singh
On Sat, Jun 11, 2022 at 12:40 AM Adivya Singh <
adivya1.singh@gmail.com
<mailto:adivya1.singh@gmail.com>> wrote:
Hi Team,
I have a use case where I have to give a user restriction on updating the image properties as a member.
I have created a policy Json file and give the modify_image rule to the particular role, but still it is not working
"modify_image": "role:user", This role is created in OpenStack.
but still it is failing while updating properties with a particular user assigned to a role as "access denied" and unauthorized access
Regards Adivya Singh