Public bug reported: Trying to restrict glance to only allow editing/deleting a tenants own images.
According the the docs, this should work. "is_owner": "tenant:%(owner)s", "modify_image": "rule:is_owner", "delete_image": "rule:is_owner", However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches! With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it. How are you meant to restrict actions to the owner of an image? ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1790446 Title: Glance policy and image owner Status in Glance: New Bug description: Trying to restrict glance to only allow editing/deleting a tenants own images. According the the docs, this should work. "is_owner": "tenant:%(owner)s", "modify_image": "rule:is_owner", "delete_image": "rule:is_owner", However, with this set, no user can then delete/modify images, as if the 'is_owner' rules never matches! With the default policy, a normal user is able to edit/delete public images that they dont own. If the public image is set as 'protected' they cant delete it. How are you meant to restrict actions to the owner of an image? To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1790446/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp