Public bug reported:
Setup a default OpenStack environment using keystone's sample_data.sh
This gives user "glance" the "_member_" role for project "service".
Couple this with a policy.json containing the following:
{
"context_is_admin": "role:admin",
"default": "",
"add_image": "",
"delete_image": "",
.
.
}
If you attempt to create a new image as "glance" user it fails with following
error:
403 Forbidden: You are not authorized to complete this action. (HTTP
403)
Delving into the code you can see is_admin is enforced:
api/authorization.py:new_image():
if not self.context.is_admin:
if owner is None or owner != self.context.owner:
message = _("You are not permitted to create images "
"owned by '%s'.")
raise exception.Forbidden(message % owner)
Thus indicating that the user creating images must have "admin" role for this
project.
However this same user can successfully delete images, as delete uses
policy enforcement only and adheres to whatever is defined within
policy.json:
api/policy.py:delete():
def delete(self):
self.policy.enforce(self.context, 'delete_image', self.target)
return self.image.delete()
This seems inconsistent, image creation should probably use policy enforcement
and not have a hard coded requirement for admin role.
** Affects: glance
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1629396
Title:
create images requires admin role ignoring policy.json
Status in Glance:
New
Bug description:
Setup a default OpenStack environment using keystone's sample_data.sh
This gives user "glance" the "_member_" role for project "service".
Couple this with a policy.json containing the following:
{
"context_is_admin": "role:admin",
"default": "",
"add_image": "",
"delete_image": "",
.
.
}
If you attempt to create a new image as "glance" user it fails with following
error:
403 Forbidden: You are not authorized to complete this action.
(HTTP 403)
Delving into the code you can see is_admin is enforced:
api/authorization.py:new_image():
if not self.context.is_admin:
if owner is None or owner != self.context.owner:
message = _("You are not permitted to create images "
"owned by '%s'.")
raise exception.Forbidden(message % owner)
Thus indicating that the user creating images must have "admin" role for this
project.
However this same user can successfully delete images, as delete uses
policy enforcement only and adheres to whatever is defined within
policy.json:
api/policy.py:delete():
def delete(self):
self.policy.enforce(self.context, 'delete_image', self.target)
return self.image.delete()
This seems inconsistent, image creation should probably use policy
enforcement and not have a hard coded requirement for admin role.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1629396/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
