glance/doc/source/policies.rst
Brian Waldon 087046b4e6 Clean up policies docs page
Related to bp glance-folsom-docs-cleanup

Change-Id: I65cd8e9e34ce25cbf0b45900fc73df1ffb03c7ef
2012-08-22 19:04:49 -07:00

3.1 KiB

Policies

Glance's public API calls may be restricted to certain sets of users using a policy configuration file. This document explains exactly how policies are configured and what they apply to.

A policy is composed of a set of rules that are used by the policy "Brain" in determining if a particular action may be performed by the authorized tenant.

Constructing a Policy Configuration File

A policy configuration file is a simply JSON object that contain sets of rules. Each top-level key is the name of a rule. Each rule is a string that describes an action that may be performed in the Glance API.

The actions that may have a rule enforced on them are:

  • get_images - List available image entities
    • GET /v1/images
    • GET /v1/images/detail
    • GET /v2/images
  • get_image - Retrieve a specific image entity
    • HEAD /v1/images/<IMAGE_ID>
    • GET /v1/images/<IMAGE_ID>
    • GET /v2/images/<IMAGE_ID>
  • download_image - Download binary image data
    • GET /v1/images/<IMAGE_ID>
    • GET /v2/images/<IMAGE_ID>/file
  • add_image - Create an image entity
    • POST /v1/images
    • POST /v2/images
  • modify_image - Update an image entity
    • PUT /v1/images/<IMAGE_ID>
    • PUT /v2/images/<IMAGE_ID>
  • publicize_image - Create or update images with attribute
    • POST /v1/images with attribute is_public = true
    • PUT /v1/images/<IMAGE_ID> with attribute is_public = true
    • POST /v2/images with attribute visibility = public
    • PUT /v2/images/<IMAGE_ID> with attribute visibility = public
  • delete_image - Delete an image entity and associated binary data
    • DELETE /v1/images/<IMAGE_ID>
    • DELETE /v2/images/<IMAGE_ID>
  • manage_image_cache - Allowed to use the image cache management API

To limit an action to a particular role or roles, you list the roles like so :

{
  "delete_image": ["role:admin", "role:superuser"]
}

The above would add a rule that only allowed users that had roles of either "admin" or "superuser" to delete an image.

Examples

Example 1. (The default policy configuration)

{
    "default": []
}

Note that an empty JSON list means that all methods of the Glance API are callable by anyone.

Example 2. Disallow modification calls to non-admins

{
    "default": [],
    "add_image": ["role:admin"],
    "modify_image": ["role:admin"],
    "delete_image": ["role:admin"]
}