Glance doesn't send correctly authorization request to Oslo policy

Looking at the code from oslo_policy/_checks.py, three things come to mind:

1) copy.deepcopy is called on a glance.api.policy.ImageTarget, and this class does not seem to define a __deepcopy__ method, which we might want to add since deep copying seems tricky.
2) the keys() method is called on the glance.api.policy.ImageTarget object, and that is definitely not going to work, since this is not a dict, and no keys() method is defined.
3) jsonutils.dumps() is called on temp_target, which may not be JSON-serializable.

I'm not sure whether these issues should be fixed by modifying the ImageTarget class, or whether we should actually pass a dict to oslo.policy. If we want to fix the ImageTarget class, we should probably start with something along those lines: http://paste.debian.net/989066/

Does anyone know how this feature is supposed to work? Has it ever worked?

If you specify something like below in policy file then it will work,

"restricted": "not ('test_key':%(test_key)s and role:_member_)"
"download_image": "role:admin or rule:restricted"

Where test_key is extra property for image.

ImageTarget class was added to search this property specified in json either in core properties or in extra properties.

It sounds like the policy library is not clear enough that it expects the thing passed to it to be a dictionary, or at least to fully act like one.

@Cyril, I think your pastebin from comment #1 is going in the right direction. Would it fill out the API of ImageTarget so that it is fully compliant with the Mapping abstract base class? https://docs.python.org/2/library/collections.html#collections.Mapping

Fix proposed to branch: master
Review: https://review.openstack.org/510569

Comment from Doug in IRC (#openstack-glance):
[16:23:25] <dhellmann> rosmaita, jokke_ : regarding the http check policy thing raised in the glance meeting -- the issue with the current ImageTarget class is that it seems to support looking up a single key, but doesn't provide a way to get all of the properties at once
[16:23:46] <dhellmann> the http check needs that because it ships all of the properties to the remote service so that service can enforce the policy
[16:24:00] <dhellmann> and the generic http check doesn't know what properties (a) exist or (b) are needed
[16:25:18] <dhellmann> the API for the enforcer wasn't clear about the expectations for the "target" argument -- we really did assume it was a dict instance, I think. So ImageTarget is behaving sort of like a dict, but not enough to work for all cases

The glance patch for this is: https://review.openstack.org/#/c/512020/

Reviewed: https://review.openstack.org/512020
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=3134ee07b2ab25f63183c699df163b5f8dfd0918
Submitter: Zuul
Branch: master

commit 3134ee07b2ab25f63183c699df163b5f8dfd0918
Author: Cyril Roelandt <email address hidden>
Date: Fri Oct 13 23:22:16 2017 +0200

    Make ImageTarget behave like a dictionary

    This is required because oslo_policy's 'enforce' method expects a dict-like
    object as its second argument.

    Change-Id: I9187b6805d3b2cd351189e34dd2f9db3158f6b8d
    Closes-Bug: #1720354

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/525127

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/525133

This issue was fixed in the openstack/glance 16.0.0.0b2 development milestone.

Reviewed: https://review.openstack.org/510569
Committed: https://git.openstack.org/cgit/openstack/oslo.policy/commit/?id=8710f6338d0596ebc7c0d8a69675d9333631504b
Submitter: Zuul
Branch: master

commit 8710f6338d0596ebc7c0d8a69675d9333631504b
Author: Doug Hellmann <email address hidden>
Date: Mon Oct 9 09:31:08 2017 -0400

    expand type documentation for Enforcer arguments

    As part of bug #1720354 we discovered that arguments being passed to
    the enforcer were not always dictionaries and did not always support
    the full API needed. Expand the documentation to make the requirements
    clearer.

    Change-Id: I6c940d825cf72777e2a7946ab7489a1ed5359235
    Closes-Bug: #1720354
    Signed-off-by: Doug Hellmann <email address hidden>

This issue was fixed in the openstack/oslo.policy 1.32.2 release.

Reviewed: https://review.openstack.org/525127
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=2eb2e0b17ec09b4d17f10724aae52d5deaf61bde
Submitter: Zuul
Branch: stable/pike

commit 2eb2e0b17ec09b4d17f10724aae52d5deaf61bde
Author: Cyril Roelandt <email address hidden>
Date: Fri Oct 13 23:22:16 2017 +0200

    Make ImageTarget behave like a dictionary

    This is required because oslo_policy's 'enforce' method expects a dict-like
    object as its second argument.

    Change-Id: I9187b6805d3b2cd351189e34dd2f9db3158f6b8d
    Closes-Bug: #1720354
    (cherry-picked from commit 3134ee07b2ab25f63183c699df163b5f8dfd0918)

Reviewed: https://review.openstack.org/525133
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=2ae4541f3e462343f84effae01e9dcdfdaefa991
Submitter: Zuul
Branch: stable/ocata

commit 2ae4541f3e462343f84effae01e9dcdfdaefa991
Author: Cyril Roelandt <email address hidden>
Date: Fri Oct 13 23:22:16 2017 +0200

    Make ImageTarget behave like a dictionary

    This is required because oslo_policy's 'enforce' method expects a dict-like
    object as its second argument.

    Change-Id: I9187b6805d3b2cd351189e34dd2f9db3158f6b8d
    Closes-Bug: #1720354
    (cherry-picked from commit 3134ee07b2ab25f63183c699df163b5f8dfd0918)

This issue was fixed in the openstack/glance 15.0.2 release.

This issue was fixed in the openstack/glance ocata-eol release.