Restrict normal user from downloading image explicitly and at the time allow him/her to boot VM with image

Registered by Dinesh Bhor on 2018-10-19

- For a security policy the normal user is blocked from downloading an glance image explicitly by using glance download_image policy like below:
    - "download_image": "role:admin";

   Only admin can download the image explicitly.

- Since the same user context is used from Nova side to contact glance to download the image when user tries to boot a VM, user fails to boot it because of the ‘download_image’ policy and gets 403 Forbidden from glance.

Glance should be able to restrict a normal user from downloading an glance image explicitly and at the same time allow user to boot a VM with images.

Glance should try to differentiate between the internal service request (Nova) and direct user request for downloading the image and based on it apply the ‘download_image’ policy.

Blueprint information

Status:
Not started
Approver:
Erno Kuvaja
Priority:
Undefined
Drafter:
Dinesh Bhor
Direction:
Needs approval
Assignee:
Dinesh Bhor
Definition:
Pending Approval
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.