Glance

Use RBAC to define admin-ness

Bug #1152716 reported by Brian Waldon on 2013-03-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	Critical	Eoghan Glynn	Glance 2013.2 "havana"

Bug Description

Glance depends on a single configured role to define who is an Admin in the system. We should push the definition of Admin-ness out of configuration and into the policy.json file like Nova:

https://github.com/openstack/nova/blob/master/nova/policy.py#L105
https://github.com/openstack/nova/blob/master/etc/nova/policy.json#L2

Revision history for this message

Mark Washenberger (markwash) wrote on 2013-03-11:

I presume we continue to support the old configuration option as well.

Eoghan Glynn (eglynn) on 2013-04-26

Changed in glance:
assignee:	nobody → Eoghan Glynn (eglynn)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-02: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/28048

Changed in glance:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-05-02: Fix merged to glance (master)

Reviewed: https://review.openstack.org/28048
Committed: http://github.com/openstack/glance/commit/cc938e25f3babd8aa1299ae75cc5fa2cf24a00a0
Submitter: Jenkins
Branch: master

commit cc938e25f3babd8aa1299ae75cc5fa2cf24a00a0
Author: Eoghan Glynn <email address hidden>
Date: Wed May 1 15:41:53 2013 +0000

Use RBAC policy to determine if context is admin.

Fixes bug 1152716

    If the context roles do not match the configured admin_role,
    fall back to determining if admin via the "context_is_admin"
    RBAC policy rule (for consistency with the approach used by
    the other projects).

    Note this requires that the "context_is_admin" rule *must*
    be set in the policy.json if the out-of-the-box default rule
    is used (as this default is so open, the net effect of omitting
    the "context_is_admin" rule is for every request to acquire
    admin status).

Change-Id: Ide2cf604b48f24bd759ce2d65091ff546cd9d22e

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-05-29

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-10-17

Changed in glance:
milestone:	havana-1 → 2013.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.