Harden our copy of Glance's policy
Most of Glance's current checks are implemented in the API controllers but in Kilo, Glance added the ability to actually define meaningful policy rules around images and image members. In an effort to harden our default config as best as we can, we should check to see if the user trying to perform some of these actions are either an admin or the owner of the image. Change-Id: I2dcf4d828c9be88143174de30a6b59d655ab0539 Closes-bug: 1408363
This commit is contained in:
Ian Cordasco
Kevin Carter
parent
45c5fe774f
commit
6cfeea77ae
@ -1,5 +1,7 @@
|
||||
{
|
||||
"context_is_admin": "role:admin",
|
||||
"tenant_is_owner": "tenant:%(owner)s",
|
||||
"admin_or_owner": "role:admin OR rule:tenant_is_owner",
|
||||
"default": "",
|
||||
|
||||
"add_image": "",
|
||||
@ -7,7 +9,7 @@
|
||||
"get_image": "",
|
||||
"get_images": "",
|
||||
"modify_image": "",
|
||||
"publicize_image": "role:admin",
|
||||
"publicize_image": "rule:admin_or_owner",
|
||||
"copy_from": "",
|
||||
|
||||
"download_image": "",
|
||||
@ -17,11 +19,11 @@
|
||||
"get_image_location": "",
|
||||
"set_image_location": "",
|
||||
|
||||
"add_member": "",
|
||||
"delete_member": "",
|
||||
"add_member": "rule:admin_or_owner",
|
||||
"delete_member": "rule:admin_or_owner",
|
||||
"get_member": "",
|
||||
"get_members": "",
|
||||
"modify_member": "",
|
||||
"modify_member": "rule:admin_or_owner",
|
||||
|
||||
"manage_image_cache": "role:admin",
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user