openstack/openstack-ansible
Code Issues Proposed changes

Revert "Add proper RBAC to Glance's policy.json"

Browse Source 
This reverts commit 8f190b9121.

From Ian:
"So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this

OrCheck
/     \
Role   GenericCheck

The RoleCheck is straight-forward and just works. Glance (in Juno) used
a very old and very hacky policy enforcement system that has been made a
lot better in oslo.policy (soon to be released). At the moment the
GenericCheck receives a target dictionary that is empty. So doing
something like tenant:%(tenant_id)s will return False immediately
because there is no tenant_id key in the dictionary passed in for the
target object (because it is empty). This seems to be a failure
somewhere along the line but I haven’t found it yet. Regardless, it
seems like the RBAC changes need to be reverted because there’s no
chance of them working until a new stable glance comes out with a fix."

So I spent most of today trying to figure out why Glance’s policy isn’t
working with the proposed glance policy changes for RBAC. I only was
just able to find (by adding tons of logging) the basic check is parsed
something like this.

Partial-bug: #1408363
Change-Id: I094050e5ea6e1daa94c2f933c222268654f5ef78
This commit is contained in:
Hugh Saunders
2015-01-12 10:37:53 +00:00
committed by Jesse Pretorius
parent b0ed20b738
commit bba6fa84a1
1 changed files with 6 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
rpc_deployment/roles/glance_common/templates/policy.json
View File

@@ -1,14 +1,13 @@
{
"context_is_admin": "role:admin",
"user_is_owner": "user:%(target.image.owner) OR tenant:%(target.image.owner.tenant)",
"default": "",
"add_image": "",
"delete_image": "role:admin OR rule:user_is_owner",
"delete_image": "",
"get_image": "",
"get_images": "",
"modify_image": "role:admin OR rule:user_is_owner",
"publicize_image": "role:admin OR rule:user_is_owner",
"modify_image": "",
"publicize_image": "role:admin",
"copy_from": "",
"download_image": "",
@@ -18,11 +17,11 @@
"get_image_location": "",
"set_image_location": "role:admin",
"add_member": "role:admin OR rule:user_is_owner",
"delete_member": "role:admin OR rule:user_is_owner",
"add_member": "",
"delete_member": "",
"get_member": "",
"get_members": "",
"modify_member": "role:admin OR rule:user_is_owner",
"modify_member": "",
"manage_image_cache": "role:admin",