Related to bp glance-folsom-docs-cleanup Change-Id: I65cd8e9e34ce25cbf0b45900fc73df1ffb03c7ef
3.1 KiB
Policies
Glance's public API calls may be restricted to certain sets of users using a policy configuration file. This document explains exactly how policies are configured and what they apply to.
A policy is composed of a set of rules that are used by the policy "Brain" in determining if a particular action may be performed by the authorized tenant.
Constructing a Policy Configuration File
A policy configuration file is a simply JSON object that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Glance API.
The actions that may have a rule enforced on them are:
get_images
- List available image entitiesGET /v1/images
GET /v1/images/detail
GET /v2/images
get_image
- Retrieve a specific image entityHEAD /v1/images/<IMAGE_ID>
GET /v1/images/<IMAGE_ID>
GET /v2/images/<IMAGE_ID>
download_image
- Download binary image dataGET /v1/images/<IMAGE_ID>
GET /v2/images/<IMAGE_ID>/file
add_image
- Create an image entityPOST /v1/images
POST /v2/images
modify_image
- Update an image entityPUT /v1/images/<IMAGE_ID>
PUT /v2/images/<IMAGE_ID>
publicize_image
- Create or update images with attributePOST /v1/images
with attributeis_public
=true
PUT /v1/images/<IMAGE_ID>
with attributeis_public
=true
POST /v2/images
with attributevisibility
=public
PUT /v2/images/<IMAGE_ID>
with attributevisibility
=public
delete_image
- Delete an image entity and associated binary dataDELETE /v1/images/<IMAGE_ID>
DELETE /v2/images/<IMAGE_ID>
manage_image_cache
- Allowed to use the image cache management API
To limit an action to a particular role or roles, you list the roles like so :
{
"delete_image": ["role:admin", "role:superuser"]
}
The above would add a rule that only allowed users that had roles of either "admin" or "superuser" to delete an image.
Examples
Example 1. (The default policy configuration)
{ "default": [] }
Note that an empty JSON list means that all methods of the Glance API are callable by anyone.
Example 2. Disallow modification calls to non-admins
{ "default": [], "add_image": ["role:admin"], "modify_image": ["role:admin"], "delete_image": ["role:admin"] }