glance/doc/source/policies.rst

Policies

Glance's API calls may be restricted to certain sets of users using a Policy configuration file.

This document explains exactly how policies work and how the policy configuration file is constructed.

Basics

A policy is composed of a set of rules that are used by the Policy "Brain" in determining if a particular action may be performed by a particular role.

Constructing a Policy Configuration File

Policy configuration files are simply serialized JSON dictionaries that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Glance API.

The actions that may have a rule enforced on them are:

• get_images - Allowed to call the GET /images and GET /images/detail API calls
• get_image - Allowed to call the HEAD /images/<IMAGE_ID> and GET /images/<IMAGE_ID> API calls
• add_image - Allowed to call the POST /images API call
• modify_image - Allowed to call the PUT /images/<IMAGE_ID> API call
• publicize_image - Allowed to create or update images with attribute is_public=true
• delete_image - Allowed to call the DELETE /images/<IMAGE_ID> API call
• manage_image_cache - Allowed to use the image cache management API
• Added in v2:
• download_image - Allowed to call the GET /images/<IMAGE_ID>/file API call

To limit an action to a particular role or roles, you list the roles like so :

{
  "delete_image": ["role:admin", "role:superuser"]
}

The above would add a rule that only allowed users that had roles of either "admin" or "superuser" to delete an image.

Examples

Example 1. (The default policy configuration)

{
    "default": []
}

Note that an empty JSON list means that all methods of the Glance API are callable by anyone.

Example 2. Disallow modification calls to non-admins

{
    "default": [],
    "add_image": ["role:admin"],
    "modify_image": ["role:admin"],
    "delete_image": ["role:admin"]
}