Public bug reported:
Trying to restrict glance to only allow editing/deleting a tenants own
images.
According the the docs, this should work.
"is_owner": "tenant:%(owner)s",
"modify_image": "rule:is_owner",
"delete_image": "rule:is_owner",
However, with this set, no user can then delete/modify images, as if the
'is_owner' rules never matches!
With the default policy, a normal user is able to edit/delete public
images that they dont own. If the public image is set as 'protected'
they cant delete it.
How are you meant to restrict actions to the owner of an image?
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1790446
Title:
Glance policy and image owner
Status in Glance:
New
Bug description:
Trying to restrict glance to only allow editing/deleting a tenants own
images.
According the the docs, this should work.
"is_owner": "tenant:%(owner)s",
"modify_image": "rule:is_owner",
"delete_image": "rule:is_owner",
However, with this set, no user can then delete/modify images, as if
the 'is_owner' rules never matches!
With the default policy, a normal user is able to edit/delete public
images that they dont own. If the public image is set as 'protected'
they cant delete it.
How are you meant to restrict actions to the owner of an image?
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1790446/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
