Comment 4 for bug 1346648
Revision history for this message
| OpenStack Infra (hudson-openstack) wrote Fix merged to glance (master) | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit b159aa8b6443383
Author: Ian Cordasco <email address hidden>
Date: Mon Jan 12 15:56:29 2015 -0600
Pass a real image target to the policy enforcer
Previously, every call to policy.enforce passed an empty dictionary as
the target. This prevents operators from using tenant specific
restrictions in their policy.json files since the target will always be
an empty dictionary.
If you try to restrict some actions so an image owner (users with the
correct tenant id) can perform actions, the check categorically fails
because the target is okay is an empty dictionary. By passing the
ImageTarget instance wrapping an Image, we can properly grant access to
the image owner(s) based on tenant (e.g., owner:%(tenant)). Without this
fix, the only check that actually works in glance is a RoleCheck (e.g.,
role:admin).
Partial-bug: 1346648
Implements: blueprint pass-targets-
Change-Id: Id914c478ca7c4d