Nested policy enforcement is confusing to end users and operators
Bug #1915582 reported by
Lance Bragstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
In Progress
|
Undecided
|
Unassigned |
Bug Description
Several APIs in glance use a pattern where an image is fetched from the backend before performing an operation, updating an image for example.
The API code for updating an image calls the image repository, which ultimately enforces the policy for get_image [0][1]. This can be confusing for operators modifying the policy for modify_image and wondering why it hasn't taken effect if the get_image policy short-circuits the operation.
[0] https:/
[2] https:/
To post a comment you must log in.
Will be fixed as a future change, refer, https:/ /review. opendev. org/c/openstack /glance- specs/+ /796753