Restrict users from downloading image based on policy
Presently images shared publicly with the users can download these images
freely which could lead to piracy. Today, you can stop users from downloading
images by configuring download_image policy with role constraint, but it will
restrict all users having that particular role from downloading all of the
images, this is not good. So what I want is to restrict users from downloading
images on the basis of specific core or custom property is present in the
image and users having certain specific roles.
We can achieve this by adding new rule in policy.json and apply that rule to
'download_image' policy.
For example:
Add new rule in policy.json mentioned as below
"restricted": "not ('ntt_3251'
"download_image": "role:admin or rule:restricted"
So if 'download_image' policy is enforced then in above case only admin or
user who satisfies rule 'restricted' will able to download image. Other users
will not be able to download the image and will get 403 Forbidden response.
To avoid implementation of dict inspection via dot syntax and enforce the
policy on v1 and v2 api's in the same way, we can create a dictionary-like
mashup of the image core and custom properties, in both v1
and v2 api and pass it directly as target to _enforce() method. In case if
core and custom property is same for the image, then the core property value
will be overwritten on the custom property.
For example:
self._enforce(req, 'download_image', target=
Blueprint information
- Status:
- Complete
- Approver:
- Mark Washenberger
- Priority:
- Medium
- Drafter:
- Tushar Patil
- Direction:
- Approved
- Assignee:
- Abhishek Kekane
- Definition:
- Approved
- Series goal:
- Accepted for juno
- Implementation:
- Implemented
- Milestone target:
- 2014.2
- Started by
- Mark Washenberger
- Completed by
- Mark Washenberger
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
We'd like to see a glance-specs entry for this change just to document the approach that is ultimately taken and how it can be leveraged by deployers.
For others to note, it looks like the approach taken is changing a bunch. Instead of using property protections, the direction taken is going to leverage oslo-incubator openstack common policy checks.
- markwash
Addressed by: https:/
Restrict users from downloading protected image
Addressed by: https:/
Restrict users from downloading protected image
Addressed by: https:/
Syncing policy engine from oslo-incubator
Addressed by: https:/
Syncing changes from oslo-incubator policy engine
Addressed by: https:/
Syncing policy engine from oslo-incubator
Gerrit topic: https:/
Work Items
Work items:
Add new rule in policy.json to restrict download of image: DONE
Add method to create dictionary-like mashup of image properties: DONE
Modify v1 and v2 api to restrict download: DONE
Modify logic of caching to restrict download for v1 and v2 api: DONE
Unit tests for coverage: DONE
Sync oslo-incubator policy module with glance: TODO