openstack/openstack-ansible
Code Issues Proposed changes

Harden our copy of Glance's policy

Browse Source 
Most of Glance's current checks are implemented in the API controllers
but in Kilo, Glance added the ability to actually define meaningful
policy rules around images and image members. In an effort to harden
our default config as best as we can, we should check to see if the
user trying to perform some of these actions are either an admin or the
owner of the image.

Change-Id: I2dcf4d828c9be88143174de30a6b59d655ab0539
Closes-bug: 1408363
This commit is contained in:
Ian Cordasco
2015-04-28 16:48:11 -05:00
committed by Kevin Carter
parent b59c08dd5f
commit 8bebbc6e53
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
playbooks/roles/os_glance/files/policy.json
View File

@@ -1,5 +1,7 @@
{
"context_is_admin": "role:admin",
"tenant_is_owner": "tenant:%(owner)s",
"admin_or_owner": "role:admin OR rule:tenant_is_owner",
"default": "",
"add_image": "",
@@ -7,7 +9,7 @@
"get_image": "",
"get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"publicize_image": "rule:admin_or_owner",
"copy_from": "",
"download_image": "",
@@ -17,11 +19,11 @@
"get_image_location": "",
"set_image_location": "",
"add_member": "",
"delete_member": "",
"add_member": "rule:admin_or_owner",
"delete_member": "rule:admin_or_owner",
"get_member": "",
"get_members": "",
"modify_member": "",
"modify_member": "rule:admin_or_owner",
"manage_image_cache": "role:admin",