Glance

glance APIs missing target for most policy checks

Bug #1346648 reported by Scott Devoid
24
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Glance
In Progress
Wishlist
Ian Cordasco
Declined for Icehouse by Alan Pevec
Declined for Juno by Alan Pevec
Nominated for Kilo by Ian Cordasco

Bug Description

API calls in glance.api.v1.images call the _enforce() helper method for various actions: "create_image", "update_image", "delete_image", etc. but do not pass the image as the target for the policy check. [1]

This means that you cannot provide access to these APIs on a per-object basis. Furthermore it is inconsistent with the way other projects handle policy checks.

[1] https://github.com/openstack/glance/blob/master/glance/api/v1/images.py#L154

Revision history for this message
Mark Washenberger (markwash) wrote :

Some groundwork for this was laid in https://review.openstack.org/#/c/98737/, but it only covers the download_image check.

We should add broader use of the target keyword to our enforce calls in the v1 api and in the policy enforcement used by the v2 api.

But I suppose this is actually a feature request TBH.

summary: - glance v1 API missing target for policy checks
+ glance APIs missing target for most policy checks
Changed in glance:
status: New → Confirmed
importance: Undecided → Medium
importance: Medium → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/122467

Ian Cordasco (icordasc)
Changed in glance:
assignee: nobody → Ian Cordasco (icordasc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/146651

Changed in glance:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to glance (master)

Reviewed: https://review.openstack.org/146651
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=b159aa8b644338360f6e90d34af40a662246fe47
Submitter: Jenkins
Branch: master

commit b159aa8b644338360f6e90d34af40a662246fe47
Author: Ian Cordasco <email address hidden>
Date: Mon Jan 12 15:56:29 2015 -0600

    Pass a real image target to the policy enforcer

    Previously, every call to policy.enforce passed an empty dictionary as
    the target. This prevents operators from using tenant specific
    restrictions in their policy.json files since the target will always be
    an empty dictionary.

    If you try to restrict some actions so an image owner (users with the
    correct tenant id) can perform actions, the check categorically fails
    because the target is okay is an empty dictionary. By passing the
    ImageTarget instance wrapping an Image, we can properly grant access to
    the image owner(s) based on tenant (e.g., owner:%(tenant)). Without this
    fix, the only check that actually works in glance is a RoleCheck (e.g.,
    role:admin).

    Partial-bug: 1346648
    Implements: blueprint pass-targets-to-policy-enforcer
    Change-Id: Id914c478ca7c4dfde3f08028d8b70c623f26b6e9

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on glance (stable/icehouse)

Change abandoned by Matt Riedemann (<email address hidden>) on branch: stable/icehouse
Review: https://review.openstack.org/122467
Reason: This isn't appropriate for stable/icehouse at this point.

Revision history for this message
Maik Zumstrull (m-zumstrull) wrote :

We're seeing this issue in our (Kilo) cloud, and it seems this is only fixed for API v2. Firing a request to delete the same image using the same credentials, once with API v1 and once with API v2, I see that the enforcer is called without target information for v1 and with target information for v2. Since we do an ownership check for some operations, this means v1 API essentially doesn't work.

Is anyone still working on this issue?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.