Nested policy enforcement is confusing to end users and operators

Bug #1915582 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Glance
In Progress
Undecided
Unassigned

Bug Description

Several APIs in glance use a pattern where an image is fetched from the backend before performing an operation, updating an image for example.

The API code for updating an image calls the image repository, which ultimately enforces the policy for get_image [0][1]. This can be confusing for operators modifying the policy for modify_image and wondering why it hasn't taken effect if the get_image policy short-circuits the operation.

[0] https://github.com/openstack/glance/blob/master/glance/api/v2/images.py#L445
[2] https://github.com/openstack/glance/blob/master/glance/api/policy.py#L123-L124

Revision history for this message
Abhishek Kekane (abhishek-kekane) wrote :

Will be fixed as a future change, refer, https://review.opendev.org/c/openstack/glance-specs/+/796753

Changed in glance:
status: New → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.