Ask Your Question
1

how to recognize if the image is public through policy.json?

asked 2015-03-11 20:16:08 -0500

Scott Zhang gravatar image

updated 2015-03-12 17:13:22 -0500

smaffulli gravatar image

Hello,

I am trying to write a policy for glance. Two of my desired policies are "deleting public image requires admin role" and "if the image is not public, then only its owner can delete it".

In order to write such a policy, the "policy.json" file needs to be able to know if the target image is public or not. Could someone let me know how to recognize if the image is public through policy.json?

Thanks,

edit retag flag offensive close merge delete

Comments

Could someone please give me some hints regarding this question?

Thanks.

Scott Zhang gravatar imageScott Zhang ( 2015-03-12 13:38:58 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2015-03-12 19:46:12 -0500

You can not know if an image is public or not by looking at policy.json.

Images have properties and is_public is a property that all images get. The value of this property can be True or False.

+-------------------------------+--------------------------------------+
| Property                      | Value                                |
+-------------------------------+--------------------------------------+
| Property 'vmware_adaptertype' | lsiLogic                             |
| Property 'vmware_disktype'    | preallocated                         |
| checksum                      | 4452244f5cb298f6530fda6b14fedf0a     |
| container_format              | bare                                 |
| created_at                    | 2015-02-16T00:11:03                  |
| deleted                       | False                                |
| disk_format                   | vmdk                                 |
| id                            | 49fe3653-db77-4307-9bff-cb79426f9bc0 |
| is_public                     | True                                 |
| min_disk                      | 0                                    |
| min_ram                       | 0                                    |
| name                          | ubuntuCloudImage                     |
| owner                         | 9a4a5404b98340b882cb89b785456240     |
| protected                     | False                                |
| size                          | 2147483648                           |
| status                        | active                               |
| updated_at                    | 2015-02-16T00:11:58                  |
+-------------------------------+--------------------------------------+

When an api operations is performed on an image, glance checks against policy.json to see if the operation is allowed for that role.

In policy.json there is already a definition that admin role can only make images public.

"publicize_image": "role:admin",
edit flag offensive delete link more

Comments

thanks for your response. But my question is "can we enable a rule to only allow admin to remove public image?" Other roles cannot remove public images even though they are owners of the image. If the image is not public, then the owner is allowed to remove the image.

Scott Zhang gravatar imageScott Zhang ( 2015-03-13 16:04:43 -0500 )edit

Only Admin can make images public. So this would require an additional step once the admin makes the image public and that is to change the owner image. glance --image-update --owner <TENANT_ID>

sfcloudman gravatar imagesfcloudman ( 2015-03-13 17:04:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-03-11 20:16:08 -0500

Seen: 256 times

Last updated: Mar 12 '15