diff --git a/specs/juno/restrict-downloading-images.rst b/specs/juno/restrict-downloading-images.rst new file mode 100644 index 00000000..5dab66d0 --- /dev/null +++ b/specs/juno/restrict-downloading-images.rst @@ -0,0 +1,217 @@ +================================================================ +Restrict users from downloading image based on custom properties +================================================================ + +https://blueprints.launchpad.net/glance/+spec/restrict-downloading-images-protected-properties + +The goal of this blueprint is to restrict normal users from downloading +the images on the basis of core or custom properties by using +download_image policy. + + +Problem description +=================== + +Presently images shared publicly with the users can download these images +freely which could lead to piracy. Today, you can stop users from downloading +images by configuring download_image policy with role constraint, but it will +restrict all users having that particular role from downloading all of the +images, this is not good. So what I want is to restrict users from downloading +images on the basis of specific core or custom property is present in the +image and users having certain specific roles. + + +Proposed change +=============== + +We can achieve this by adding new rule in policy.json and apply that rule to +'download_image' policy. + +For example: +Add new rule in policy.json mentioned as below + +'restricted': 'not (ntt_3251:%(x_billing_code_ntt)s and role:member)' +'download_image': 'role:admin or rule:restricted' + +So if 'download_image' policy is enforced then in above case only admin or +user who satisfies rule 'restricted' will able to download image. Other users +will not be able to download the image and will get 403 Forbidden response. + +To avoid implementation of dict inspection via dot syntax and enforce the +policy on v1 and v2 api's in the same way, we can create a dictionary-like +mashup of the image core and custom properties, in both v1 +and v2 api and pass it directly as target to _enforce() method. In case if +core and custom property is same for the image, then the core property value +will be overwritten on the custom property. + +For example: +self._enforce(req, 'download_image', target=image_meta_mashup) + + +Alternatives +------------ + +Instead of passing dictionary-like mashup of the image core and custom +properties directly to target, we can pass image itself and can implement +dict inspection via dot syntax. In this case the new rule in policy.json +need to configured as follows, + +'restricted': 'not (ntt_3251:%(target.x_billing_code_ntt)s and role:member)' +'download_image': 'role:admin or rule:restricted' + +Data model impact +----------------- + +None + +REST API impact +--------------- + +* GET:/v2/images/{image_id}/file + + * Description: Downloads binary image data. + * Method: GET + * Normal response code(s): 200, 204 + + * Expected error http response code(s): 403 + * When image having protected properties downloaded by user + who doesn't satisfy 'download_image' policy + + * URL for the resource: /v2/images/{image_id}/file + * Parameters which can be passed via the url + {image_id}, String, The ID for the image. + +* GET:/v1/images/{image_id} + + * Description: Returns the image details as headers and the image binary + in the body of the response. + * Method: GET + * Normal response code(s): 200 + * Expected error http response code(s): 403 + + * When image having protected properties downloaded by user + who doesn't satisfy 'download_image' policy + + * URL for the resource: /v1/images/{image_id} + * Parameters which can be passed via the url + {image_id}, String, The ID for the image. + +Security impact +--------------- + +None + +Notifications impact +-------------------- + +None + +Other end user impact +--------------------- + +None + +Performance Impact +------------------ + +None + +Other deployer impact +--------------------- + +Need to add new rule in policy.json for restricting downloading of image. + +"restricted": "not (ntt_3251:%(x_billing_code_ntt)s and role:member)" +"download_image": "role:admin or rule:restricted" + +Where ntt_3251 will be the value of property 'x_billing_code_ntt'. + +In our case it is necessary to ensure that normal users should not be able +to delete the property ('x_billing_code_ntt') added to the image. +If normal user is able to delete the property of the image then +he can easily download the image as the rule 'restricted' will not work +in this case. + +So we need to restrict normal users from deleting the property +using property protections. + +Need to modify following options in glance-api.conf file to enable +property-protections: + +property_protection_file = property-protections-roles.conf +property_protection_rule_format = roles + +Changes in property-protections-roles.conf + +[^x_billing_code_.*] +create = admin,member +read = admin,member,_member_ +update = admin,member +delete = admin,member + +Need to ensure that to use this download restrictions feature, +show_image_direct_url and show_multiple_locations parameter is not set +to True in glance-api.conf file. +If these options are True then, using this download restriction is +potentially an inconsistent policy as user might be able to download the +image using image location(direct url). + +In order to deploy the above policy, service provider will need to deploy 2 +sets of glance api services. One glance api service will be exposed to the +external nova services(nova-compute) and other to the users. The one which is +exposed to the users should enforce the download_image policy with the above +"restricted" rule and the glance-api which used by nova need to be +isolated/protected, e.g. separated by network, in order to avoid +glance-client/end user connect it by standard API. + +Developer impact +---------------- + +None + + +Implementation +============== + +Assignee(s) +----------- + +Primary assignee: + abhishek-kekane + +Other contributors: + None + +Work Items +---------- + +- Add new rule in policy.json to restrict download of image. +- Add method to create dictionary-like mashup of image properties +- Modify v1 and v2 api to restrict download +- Modify logic of caching to restrict download for v1 and v2 api +- Sync openstack.common.policy of oslo-inc with Glance when the + change of oslo-inc get merged. + + +Dependencies +============ + +None + + +Testing +======= + +Need to add tempest test to cover download operation. + + +Documentation Impact +==================== + +Please refer Other deployer impact. + + +References +========== + +None