Public bug reported: Setup a default OpenStack environment using keystone's sample_data.sh This gives user "glance" the "_member_" role for project "service". Couple this with a policy.json containing the following:
{ "context_is_admin": "role:admin", "default": "", "add_image": "", "delete_image": "", . . } If you attempt to create a new image as "glance" user it fails with following error: 403 Forbidden: You are not authorized to complete this action. (HTTP 403) Delving into the code you can see is_admin is enforced: api/authorization.py:new_image(): if not self.context.is_admin: if owner is None or owner != self.context.owner: message = _("You are not permitted to create images " "owned by '%s'.") raise exception.Forbidden(message % owner) Thus indicating that the user creating images must have "admin" role for this project. However this same user can successfully delete images, as delete uses policy enforcement only and adheres to whatever is defined within policy.json: api/policy.py:delete(): def delete(self): self.policy.enforce(self.context, 'delete_image', self.target) return self.image.delete() This seems inconsistent, image creation should probably use policy enforcement and not have a hard coded requirement for admin role. ** Affects: glance Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1629396 Title: create images requires admin role ignoring policy.json Status in Glance: New Bug description: Setup a default OpenStack environment using keystone's sample_data.sh This gives user "glance" the "_member_" role for project "service". Couple this with a policy.json containing the following: { "context_is_admin": "role:admin", "default": "", "add_image": "", "delete_image": "", . . } If you attempt to create a new image as "glance" user it fails with following error: 403 Forbidden: You are not authorized to complete this action. (HTTP 403) Delving into the code you can see is_admin is enforced: api/authorization.py:new_image(): if not self.context.is_admin: if owner is None or owner != self.context.owner: message = _("You are not permitted to create images " "owned by '%s'.") raise exception.Forbidden(message % owner) Thus indicating that the user creating images must have "admin" role for this project. However this same user can successfully delete images, as delete uses policy enforcement only and adheres to whatever is defined within policy.json: api/policy.py:delete(): def delete(self): self.policy.enforce(self.context, 'delete_image', self.target) return self.image.delete() This seems inconsistent, image creation should probably use policy enforcement and not have a hard coded requirement for admin role. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1629396/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp