Restrict normal user from downloading image explicitly and at the time allow him/her to boot VM with image
- For a security policy the normal user is blocked from downloading an glance image explicitly by using glance download_image policy like below:
- "download_image": "role:admin";
Only admin can download the image explicitly.
- Since the same user context is used from Nova side to contact glance to download the image when user tries to boot a VM, user fails to boot it because of the ‘download_image’ policy and gets 403 Forbidden from glance.
Glance should be able to restrict a normal user from downloading an glance image explicitly and at the same time allow user to boot a VM with images.
Glance should try to differentiate between the internal service request (Nova) and direct user request for downloading the image and based on it apply the ‘download_image’ policy.
Blueprint information
- Status:
- Not started
- Approver:
- Erno Kuvaja
- Priority:
- Undefined
- Drafter:
- Dinesh Bhor
- Direction:
- Needs approval
- Assignee:
- Dinesh Bhor
- Definition:
- Pending Approval
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by