Glance

Nested policy enforcement is confusing to end users and operators

Bug #1915582 reported by Lance Bragstad on 2021-02-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	In Progress	Undecided	Unassigned

Bug Description

Several APIs in glance use a pattern where an image is fetched from the backend before performing an operation, updating an image for example.

The API code for updating an image calls the image repository, which ultimately enforces the policy for get_image [0][1]. This can be confusing for operators modifying the policy for modify_image and wondering why it hasn't taken effect if the get_image policy short-circuits the operation.

[0] https://github.com/openstack/glance/blob/master/glance/api/v2/images.py#L445
[2] https://github.com/openstack/glance/blob/master/glance/api/policy.py#L123-L124

Revision history for this message

Abhishek Kekane (abhishek-kekane) wrote on 2021-07-19:

Will be fixed as a future change, refer, https://review.opendev.org/c/openstack/glance-specs/+/796753

Changed in glance:
status:	New → In Progress

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.