Comment 23 for bug 1546507

@Mike

> The problem is EVERY deployment allows direct access to the locations for all users with v1's --location. And it's not about policies or config params. It's always enabled

I'm not sure I understand this comment. Reading it at face value, it's saying that literally every existing deployment allows users to directly change locations, and there is nothing (no config change or policy change) that the operator can do to prevent it.

But I find that if I change the following in policy.json

    "delete_image_location": "role:admin or role:glance_admin",
    "get_image_location": "role:admin or role:glance_admin",
    "set_image_location": "role:admin or role:glance_admin",

Then a user is not allowed set the location via the v1 CLI:

 $ glance --os-image-api-version 1 image-create --disk-format raw --container-format bare --name x1 --location http://www.google.com
403 Forbidden: Access was denied to this resource. (HTTP 403)

In my experience it is possible to disallow the direct image location manipulation via policies without breaking nova (again, in my experience, this is what larger deployments will typically do).

> and also it will break Nova, which uses this option.

It may be that Nova can take advantage of directly manipulating locations in some cases (Mike -- do you have more details on what nova does here?) but I don't think directly manipulating the locations is a requirement for a working Nova.