Glance

Pass Targets to Glance's Policy Enforcer

Registered by Ian Cordasco on 2015-01-21

Currently it's possible to define custom rules in Glance's ``policy.json``
that rely on attributes other than a user's roles. Unfortunately, if you
attempt to apply one of those rules, it will always cause the user to be
prevented from performing the associated action. This specification proposes
that we pass the proper target objects to the enforcer so these rules can be
used and properly enforced.

Read the full specification

Blueprint information

Status:: Complete

Approver:: Nikhil Komawar

Priority:: Low

Drafter:: Ian Cordasco

Direction:: Approved

Assignee:: Ian Cordasco

Definition:: Approved

Series goal:: Accepted for kilo

Implementation:: Implemented

Milestone target:: 2015.1.0

Started by: Ian Cordasco on 2015-01-22

Completed by: Nikhil Komawar on 2015-03-19

Related branches

Related bugs

Bug #1253963: Can not define only image creator can delete the image	In Progress
Bug #1346648: glance APIs missing target for most policy checks	In Progress

Sprints

Whiteboard

[icordasc 2015-01-21]
Current specification review: https://review.openstack.org/149112

Initial implementation (pre-specification): https://review.openstack.org/#/c/146651/

Gerrit topic: https://review.openstack.org/#q,topic:bug/1346648,n,z

Addressed by: https://review.openstack.org/146651
Pass a real image target to the policy enforcer

(?)

Work Items

This blueprint contains Public information

Everyone can see this information.

Subscribers

Erno Kuvaja

Ian Cordasco

Zhi Yan Liu