From bba6fa84a181d2123433d56d537826e1e8aaeee0 Mon Sep 17 00:00:00 2001
From: Hugh Saunders <hugh@wherenow.org>
Date: Mon, 12 Jan 2015 10:37:53 +0000
Subject: [PATCH] Revert "Add proper RBAC to Glance's policy.json"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 8f190b9121715cc90c1d3269f146f1161623d271.

From Ian:
"So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this

OrCheck
/     \
Role   GenericCheck

The RoleCheck is straight-forward and just works. Glance (in Juno) used
a very old and very hacky policy enforcement system that has been made a
lot better in oslo.policy (soon to be released). At the moment the
GenericCheck receives a target dictionary that is empty. So doing
something like tenant:%(tenant_id)s will return False immediately
because there is no tenant_id key in the dictionary passed in for the
target object (because it is empty). This seems to be a failure
somewhere along the line but I haven’t found it yet. Regardless, it
seems like the RBAC changes need to be reverted because there’s no
chance of them working until a new stable glance comes out with a fix."

So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this.

Partial-bug: #1408363
Change-Id: I094050e5ea6e1daa94c2f933c222268654f5ef78
---
 .../roles/glance_common/templates/policy.json       | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/rpc_deployment/roles/glance_common/templates/policy.json b/rpc_deployment/roles/glance_common/templates/policy.json
index 3f9736baf0..544d981b15 100644
--- a/rpc_deployment/roles/glance_common/templates/policy.json
+++ b/rpc_deployment/roles/glance_common/templates/policy.json
@@ -1,14 +1,13 @@
 {
     "context_is_admin":  "role:admin",
-    "user_is_owner": "user:%(target.image.owner) OR tenant:%(target.image.owner.tenant)",
     "default": "",
 
     "add_image": "",
-    "delete_image": "role:admin OR rule:user_is_owner",
+    "delete_image": "",
     "get_image": "",
     "get_images": "",
-    "modify_image": "role:admin OR rule:user_is_owner",
-    "publicize_image": "role:admin OR rule:user_is_owner",
+    "modify_image": "",
+    "publicize_image": "role:admin",
     "copy_from": "",
 
     "download_image": "",
@@ -18,11 +17,11 @@
     "get_image_location": "",
     "set_image_location": "role:admin",
 
-    "add_member": "role:admin OR rule:user_is_owner",
-    "delete_member": "role:admin OR rule:user_is_owner",
+    "add_member": "",
+    "delete_member": "",
     "get_member": "",
     "get_members": "",
-    "modify_member": "role:admin OR rule:user_is_owner",
+    "modify_member": "",
 
     "manage_image_cache": "role:admin",