0d0b76d838
Glance specs for restricting users from downloading licensed images on the basis of policy. Change-Id: Ic19040e397764d4d947dc2465009ad445db42146
6.2 KiB
Restrict users from downloading image based on custom properties
https://blueprints.launchpad.net/glance/+spec/restrict-downloading-images-protected-properties
The goal of this blueprint is to restrict normal users from downloading the images on the basis of core or custom properties by using download_image policy.
Problem description
Presently images shared publicly with the users can download these images freely which could lead to piracy. Today, you can stop users from downloading images by configuring download_image policy with role constraint, but it will restrict all users having that particular role from downloading all of the images, this is not good. So what I want is to restrict users from downloading images on the basis of specific core or custom property is present in the image and users having certain specific roles.
Proposed change
We can achieve this by adding new rule in policy.json and apply that rule to 'download_image' policy.
For example: Add new rule in policy.json mentioned as below
'restricted': 'not (ntt_3251:%(x_billing_code_ntt)s and role:member)' 'download_image': 'role:admin or rule:restricted'
So if 'download_image' policy is enforced then in above case only admin or user who satisfies rule 'restricted' will able to download image. Other users will not be able to download the image and will get 403 Forbidden response.
To avoid implementation of dict inspection via dot syntax and enforce the policy on v1 and v2 api's in the same way, we can create a dictionary-like mashup of the image core and custom properties, in both v1 and v2 api and pass it directly as target to _enforce() method. In case if core and custom property is same for the image, then the core property value will be overwritten on the custom property.
For example: self._enforce(req, 'download_image', target=image_meta_mashup)
Alternatives
Instead of passing dictionary-like mashup of the image core and custom properties directly to target, we can pass image itself and can implement dict inspection via dot syntax. In this case the new rule in policy.json need to configured as follows,
'restricted': 'not (ntt_3251:%(target.x_billing_code_ntt)s and role:member)' 'download_image': 'role:admin or rule:restricted'
Data model impact
None
REST API impact
GET:/v2/images/{image_id}/file
- Description: Downloads binary image data.
- Method: GET
- Normal response code(s): 200, 204
- Expected error http response code(s): 403
-
- When image having protected properties downloaded by user who doesn't satisfy 'download_image' policy
- URL for the resource: /v2/images/{image_id}/file
- Parameters which can be passed via the url {image_id}, String, The ID for the image.
GET:/v1/images/{image_id}
- Description: Returns the image details as headers and the image binary
-
in the body of the response.
Method: GET
Normal response code(s): 200
Expected error http response code(s): 403
- When image having protected properties downloaded by user who doesn't satisfy 'download_image' policy
URL for the resource: /v1/images/{image_id}
Parameters which can be passed via the url {image_id}, String, The ID for the image.
Security impact
None
Notifications impact
None
Other end user impact
None
Performance Impact
None
Other deployer impact
Need to add new rule in policy.json for restricting downloading of image.
"restricted": "not (ntt_3251:%(x_billing_code_ntt)s and role:member)" "download_image": "role:admin or rule:restricted"
Where ntt_3251 will be the value of property 'x_billing_code_ntt'.
In our case it is necessary to ensure that normal users should not be able to delete the property ('x_billing_code_ntt') added to the image. If normal user is able to delete the property of the image then he can easily download the image as the rule 'restricted' will not work in this case.
So we need to restrict normal users from deleting the property using property protections.
Need to modify following options in glance-api.conf file to enable property-protections:
property_protection_file = property-protections-roles.conf property_protection_rule_format = roles
Changes in property-protections-roles.conf
[^x_billing_code.*] create = admin,member read = admin,member,_member update = admin,member delete = admin,member
Need to ensure that to use this download restrictions feature, show_image_direct_url and show_multiple_locations parameter is not set to True in glance-api.conf file. If these options are True then, using this download restriction is potentially an inconsistent policy as user might be able to download the image using image location(direct url).
In order to deploy the above policy, service provider will need to deploy 2 sets of glance api services. One glance api service will be exposed to the external nova services(nova-compute) and other to the users. The one which is exposed to the users should enforce the download_image policy with the above "restricted" rule and the glance-api which used by nova need to be isolated/protected, e.g. separated by network, in order to avoid glance-client/end user connect it by standard API.
Developer impact
None
Implementation
Assignee(s)
- Primary assignee:
-
abhishek-kekane
- Other contributors:
-
None
Work Items
- Add new rule in policy.json to restrict download of image.
- Add method to create dictionary-like mashup of image properties
- Modify v1 and v2 api to restrict download
- Modify logic of caching to restrict download for v1 and v2 api
- Sync openstack.common.policy of oslo-inc with Glance when the change of oslo-inc get merged.
Dependencies
None
Testing
Need to add tempest test to cover download operation.
Documentation Impact
Please refer Other deployer impact.
References
None