[Openstack] Policy enforcement in Glance (Ocata Release)

Markus Hentsch markus.hentsch at cloudandheat.com
Tue May 30 13:44:53 UTC 2017 

Hello,

I've run into an issue regarding policies with Glance on the Ocata release.
Essentially, I'd like to restrict the actions of listing images and
viewing/editing their details to either members of the same project or
the global admin. Since all policies are empty strings by default, I
tried the following edit:

    {
        "context_is_admin":  "role:admin",
        "default": "role:admin",
        "admin_or_owner":  "is_admin:True or project_id:%(project_id)s",

        "add_image": "",
        "delete_image": "",
        "get_image": "admin_or_owner",
        "get_images": "admin_or_owner",
        "modify_image": "admin_or_owner",
        "publicize_image": "role:admin",
        "communitize_image": "",
        ...

The result was that nobody (including the global admin!) could list
images anymore. An "openstack image list" command would always result in
a "403 Forbidden" error.
Also, retrieving a single image's info via a user from the same project
was also impossible. An "openstack image show <image_id>" would simply
output "403 Forbidden You are not authorized to compelte get_images action".

From the policies as quoted above I would have expected the global admin
as well as any project member being able to list and show images without
problems.

Editing 2 lines in above policy definition:

        ...
        "get_images": "",
        "modify_image": "",
        ...

resulted in another weird behavior. With those adjustments, an
"openstack image list" or "openstack image show <image_id>" on the
command line executed as the global admin succeeded. On the dashboard
(Horizon) on the other hand, only listing them was possible. Trying to
display their details resulted in an error.



Digging through the logs and code, I stumbled on an image target object
that is inspected for the policy enforcement, see here:
https://github.com/openstack/glance/blob/57c4d7d78f37e840660719b944ebabe91cbf231b/glance/api/policy.py#L109

Hacking the code to put some more debugging output into the logs, I
peeked into this "ImageTarget(image)" object, which also contains a
".target.context" attribute wrapped into it. Although this "context"
attribute does contain seemingly relevant user data, its contents _do
actually differ depending on the logged in user_.

My interpretation was that the context of the image target should be
static (representing the owner/project it actually belongs to) and that
this is in turn matched against the dynamic "self.context" dict
(representing currently logged in user) according to the policies
defined, something along the lines of:

    self.context (e.g. project_id)   ---[policy check against]--->  
    ImageTarget(image) (e.g. project_id)

However "ImageTarget(image)" seems to contain context that is not
actually related to the image but differs per logged in user.


Did I misinterpret the policy definitions and/or the code related to it?
How are policies like these actually supposed to be defined in Glance?



Kind regards,

Markus Hentsch
Cloud&Heat Technologies
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170530/c83e0874/attachment.html>

More information about the Openstack mailing list