Comment 5 for bug 1408363

Reviewed: https://review.openstack.org/146413
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=bba6fa84a181d2123433d56d537826e1e8aaeee0
Submitter: Jenkins
Branch: master

commit bba6fa84a181d2123433d56d537826e1e8aaeee0
Author: Hugh Saunders <email address hidden>
Date: Mon Jan 12 10:37:53 2015 +0000

    Revert "Add proper RBAC to Glance's policy.json"

    This reverts commit 8f190b9121715cc90c1d3269f146f1161623d271.

    From Ian:
    "So I spent most of today trying to figure out why Glance’s policy isn’t
    working with the proposed glance policy changes for RBAC. I only was
    just able to find (by adding tons of logging) the basic check is parsed
    something like this

    OrCheck
    / \
    Role GenericCheck

    The RoleCheck is straight-forward and just works. Glance (in Juno) used
    a very old and very hacky policy enforcement system that has been made a
    lot better in oslo.policy (soon to be released). At the moment the
    GenericCheck receives a target dictionary that is empty. So doing
    something like tenant:%(tenant_id)s will return False immediately
    because there is no tenant_id key in the dictionary passed in for the
    target object (because it is empty). This seems to be a failure
    somewhere along the line but I haven’t found it yet. Regardless, it
    seems like the RBAC changes need to be reverted because there’s no
    chance of them working until a new stable glance comes out with a fix."

    So I spent most of today trying to figure out why Glance’s policy isn’t
    working with the proposed glance policy changes for RBAC. I only was
    just able to find (by adding tons of logging) the basic check is parsed
    something like this.

    Partial-bug: #1408363
    Change-Id: I094050e5ea6e1daa94c2f933c222268654f5ef78