Comment 1 for bug 1790446
Revision history for this message
| Brian Rosmaita (brian-rosmaita) wrote | #1 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
> With the default policy, a normal user is able to edit/delete public images that they dont own.
This is very unlikely. Are you sure you are using the default policy file?
> If the public image is set as 'protected' they cant delete it.
This is true for any image independently of its visibility.
> How are you meant to restrict actions to the owner of an image?
You don't have to do anything! The way Glance operates is that a non-admin user cannot access images which are in a project different from that user's project. The only way a non-admin user can access images in another project is to have a keystone administrator make that user a member of that other project.
So for example, in the default policy file we have:
"delete_image": ""
That means that ANY user can make a delete-image call ... but this does NOT mean that ANY user can delete ANY image. You can still only delete those images that are owned by a project that you are a member of.
An administrator can access all the images in Glance. The way you make someone an administrator is to give them the role or roles that are recognized by the "context_is_admin" policy target in the Glance policy file and then using "is_admin: True" in later policy definitions.
By the way, I suspect that the documentation is incorrect. I think the is_owner rule would have to be defined as
"is_owner": "owner:%(owner)s"
BUT -- you DO NOT NEED an "is_owner" rule to restrict "modify_image" and "delete_image" -- they are restricted to the image owner or a Glance administrator *in the code*.