From 6cfeea77ae74833839e58de6d328d27d1cbd8e5a Mon Sep 17 00:00:00 2001
From: Ian Cordasco <ian.cordasco@rackspace.com>
Date: Tue, 28 Apr 2015 16:48:11 -0500
Subject: [PATCH] Harden our copy of Glance's policy

Most of Glance's current checks are implemented in the API controllers
but in Kilo, Glance added the ability to actually define meaningful
policy rules around images and image members. In an effort to harden
our default config as best as we can, we should check to see if the
user trying to perform some of these actions are either an admin or the
owner of the image.

Change-Id: I2dcf4d828c9be88143174de30a6b59d655ab0539
Closes-bug: 1408363
---
 files/policy.json | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/files/policy.json b/files/policy.json
index 4bbc8b46..3a3042e0 100644
--- a/files/policy.json
+++ b/files/policy.json
@@ -1,5 +1,7 @@
 {
     "context_is_admin":  "role:admin",
+    "tenant_is_owner": "tenant:%(owner)s",
+    "admin_or_owner": "role:admin OR rule:tenant_is_owner",
     "default": "",
 
     "add_image": "",
@@ -7,7 +9,7 @@
     "get_image": "",
     "get_images": "",
     "modify_image": "",
-    "publicize_image": "role:admin",
+    "publicize_image": "rule:admin_or_owner",
     "copy_from": "",
 
     "download_image": "",
@@ -17,11 +19,11 @@
     "get_image_location": "",
     "set_image_location": "",
 
-    "add_member": "",
-    "delete_member": "",
+    "add_member": "rule:admin_or_owner",
+    "delete_member": "rule:admin_or_owner",
     "get_member": "",
     "get_members": "",
-    "modify_member": "",
+    "modify_member": "rule:admin_or_owner",
 
     "manage_image_cache": "role:admin",