Add option restrict regular users from upload public images

Fix proposed to branch: master
Review: https://review.openstack.org/650408

Note that only an admin can make and image public already - this is part of the default glance policy:

    "add_image": "",
    "delete_image": "",
    "get_image": "",
    "get_images": "",
    "modify_image": "",
    "publicize_image": "role:admin",
    "communitize_image": "",
    "copy_from": "",

a regular user can 'communitize_image' which is a bit different.

There is a good question in the linked ask.openstack.org question:

"Let's assume you made this change so only admins could upload images. Would this affect non-admin users' ability to take snapshots?"

that's a really good question - its possible that because the service account for nova is actually creating the snapshot of a vm, this just works but that would need to be validated.

Concerning the ask.openstack.org question:

"Let's assume you made this change so only admins could upload images. Would this affect non-admin users' ability to take snapshots?"

I just tested and indeed making this change does block non-admin users from taking a snapshot of an instance.

I didn't realise there were publicize_image and communitize_image policies. Maybe the publicize_image policy is enough for the original requestor?

@miguel.meneses

There is already some level of protection of making an image 'public' - restricting the other access permissions has some side effects that might not be desirable - see #4 - is the existing protection sufficient? We could implement more restriction via policy but it may have other un-forseen side effects due to the way that policy is implemented in glance.

[Expired for OpenStack glance charm because there has been no activity for 60 days.]

Change abandoned by "Billy Olsen <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/charm-glance/+/650408
Reason: Change has not been updated to address feedback in > 180 days