0d0b76d838
Glance specs for restricting users from downloading licensed images on the basis of policy. Change-Id: Ic19040e397764d4d947dc2465009ad445db42146
218 lines
6.2 KiB
ReStructuredText
218 lines
6.2 KiB
ReStructuredText
================================================================
|
|
Restrict users from downloading image based on custom properties
|
|
================================================================
|
|
|
|
https://blueprints.launchpad.net/glance/+spec/restrict-downloading-images-protected-properties
|
|
|
|
The goal of this blueprint is to restrict normal users from downloading
|
|
the images on the basis of core or custom properties by using
|
|
download_image policy.
|
|
|
|
|
|
Problem description
|
|
===================
|
|
|
|
Presently images shared publicly with the users can download these images
|
|
freely which could lead to piracy. Today, you can stop users from downloading
|
|
images by configuring download_image policy with role constraint, but it will
|
|
restrict all users having that particular role from downloading all of the
|
|
images, this is not good. So what I want is to restrict users from downloading
|
|
images on the basis of specific core or custom property is present in the
|
|
image and users having certain specific roles.
|
|
|
|
|
|
Proposed change
|
|
===============
|
|
|
|
We can achieve this by adding new rule in policy.json and apply that rule to
|
|
'download_image' policy.
|
|
|
|
For example:
|
|
Add new rule in policy.json mentioned as below
|
|
|
|
'restricted': 'not (ntt_3251:%(x_billing_code_ntt)s and role:member)'
|
|
'download_image': 'role:admin or rule:restricted'
|
|
|
|
So if 'download_image' policy is enforced then in above case only admin or
|
|
user who satisfies rule 'restricted' will able to download image. Other users
|
|
will not be able to download the image and will get 403 Forbidden response.
|
|
|
|
To avoid implementation of dict inspection via dot syntax and enforce the
|
|
policy on v1 and v2 api's in the same way, we can create a dictionary-like
|
|
mashup of the image core and custom properties, in both v1
|
|
and v2 api and pass it directly as target to _enforce() method. In case if
|
|
core and custom property is same for the image, then the core property value
|
|
will be overwritten on the custom property.
|
|
|
|
For example:
|
|
self._enforce(req, 'download_image', target=image_meta_mashup)
|
|
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
Instead of passing dictionary-like mashup of the image core and custom
|
|
properties directly to target, we can pass image itself and can implement
|
|
dict inspection via dot syntax. In this case the new rule in policy.json
|
|
need to configured as follows,
|
|
|
|
'restricted': 'not (ntt_3251:%(target.x_billing_code_ntt)s and role:member)'
|
|
'download_image': 'role:admin or rule:restricted'
|
|
|
|
Data model impact
|
|
-----------------
|
|
|
|
None
|
|
|
|
REST API impact
|
|
---------------
|
|
|
|
* GET:/v2/images/{image_id}/file
|
|
|
|
* Description: Downloads binary image data.
|
|
* Method: GET
|
|
* Normal response code(s): 200, 204
|
|
|
|
* Expected error http response code(s): 403
|
|
* When image having protected properties downloaded by user
|
|
who doesn't satisfy 'download_image' policy
|
|
|
|
* URL for the resource: /v2/images/{image_id}/file
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
* GET:/v1/images/{image_id}
|
|
|
|
* Description: Returns the image details as headers and the image binary
|
|
in the body of the response.
|
|
* Method: GET
|
|
* Normal response code(s): 200
|
|
* Expected error http response code(s): 403
|
|
|
|
* When image having protected properties downloaded by user
|
|
who doesn't satisfy 'download_image' policy
|
|
|
|
* URL for the resource: /v1/images/{image_id}
|
|
* Parameters which can be passed via the url
|
|
{image_id}, String, The ID for the image.
|
|
|
|
Security impact
|
|
---------------
|
|
|
|
None
|
|
|
|
Notifications impact
|
|
--------------------
|
|
|
|
None
|
|
|
|
Other end user impact
|
|
---------------------
|
|
|
|
None
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
None
|
|
|
|
Other deployer impact
|
|
---------------------
|
|
|
|
Need to add new rule in policy.json for restricting downloading of image.
|
|
|
|
"restricted": "not (ntt_3251:%(x_billing_code_ntt)s and role:member)"
|
|
"download_image": "role:admin or rule:restricted"
|
|
|
|
Where ntt_3251 will be the value of property 'x_billing_code_ntt'.
|
|
|
|
In our case it is necessary to ensure that normal users should not be able
|
|
to delete the property ('x_billing_code_ntt') added to the image.
|
|
If normal user is able to delete the property of the image then
|
|
he can easily download the image as the rule 'restricted' will not work
|
|
in this case.
|
|
|
|
So we need to restrict normal users from deleting the property
|
|
using property protections.
|
|
|
|
Need to modify following options in glance-api.conf file to enable
|
|
property-protections:
|
|
|
|
property_protection_file = property-protections-roles.conf
|
|
property_protection_rule_format = roles
|
|
|
|
Changes in property-protections-roles.conf
|
|
|
|
[^x_billing_code_.*]
|
|
create = admin,member
|
|
read = admin,member,_member_
|
|
update = admin,member
|
|
delete = admin,member
|
|
|
|
Need to ensure that to use this download restrictions feature,
|
|
show_image_direct_url and show_multiple_locations parameter is not set
|
|
to True in glance-api.conf file.
|
|
If these options are True then, using this download restriction is
|
|
potentially an inconsistent policy as user might be able to download the
|
|
image using image location(direct url).
|
|
|
|
In order to deploy the above policy, service provider will need to deploy 2
|
|
sets of glance api services. One glance api service will be exposed to the
|
|
external nova services(nova-compute) and other to the users. The one which is
|
|
exposed to the users should enforce the download_image policy with the above
|
|
"restricted" rule and the glance-api which used by nova need to be
|
|
isolated/protected, e.g. separated by network, in order to avoid
|
|
glance-client/end user connect it by standard API.
|
|
|
|
Developer impact
|
|
----------------
|
|
|
|
None
|
|
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
abhishek-kekane
|
|
|
|
Other contributors:
|
|
None
|
|
|
|
Work Items
|
|
----------
|
|
|
|
- Add new rule in policy.json to restrict download of image.
|
|
- Add method to create dictionary-like mashup of image properties
|
|
- Modify v1 and v2 api to restrict download
|
|
- Modify logic of caching to restrict download for v1 and v2 api
|
|
- Sync openstack.common.policy of oslo-inc with Glance when the
|
|
change of oslo-inc get merged.
|
|
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None
|
|
|
|
|
|
Testing
|
|
=======
|
|
|
|
Need to add tempest test to cover download operation.
|
|
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
Please refer Other deployer impact.
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
None
|