Glance

Restrict users from downloading image based on policy

Registered by Tushar Patil

Presently images shared publicly with the users can download these images
freely which could lead to piracy. Today, you can stop users from downloading
images by configuring download_image policy with role constraint, but it will
restrict all users having that particular role from downloading all of the
images, this is not good. So what I want is to restrict users from downloading
images on the basis of specific core or custom property is present in the
image and users having certain specific roles.

We can achieve this by adding new rule in policy.json and apply that rule to
'download_image' policy.

For example:
Add new rule in policy.json mentioned as below

"restricted": "not ('ntt_3251':%(x_billing_code_ntt)s and role:member)"
"download_image": "role:admin or rule:restricted"

So if 'download_image' policy is enforced then in above case only admin or
user who satisfies rule 'restricted' will able to download image. Other users
will not be able to download the image and will get 403 Forbidden response.

To avoid implementation of dict inspection via dot syntax and enforce the
policy on v1 and v2 api's in the same way, we can create a dictionary-like
mashup of the image core and custom properties, in both v1
and v2 api and pass it directly as target to _enforce() method. In case if
core and custom property is same for the image, then the core property value
will be overwritten on the custom property.

For example:
self._enforce(req, 'download_image', target=image_meta_mashup)

Blueprint information

Status:
Complete
Approver:
Mark Washenberger
Priority:
Medium
Drafter:
Tushar Patil
Direction:
Approved
Assignee:
Abhishek Kekane
Definition:
Approved
Series goal:
Accepted for juno
Implementation:
Implemented
Milestone target:
milestone icon 2014.2
Started by
Mark Washenberger
Completed by
Mark Washenberger

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/restrict-downloading-images-protected-properties,n,z

We'd like to see a glance-specs entry for this change just to document the approach that is ultimately taken and how it can be leveraged by deployers.

For others to note, it looks like the approach taken is changing a bunch. Instead of using property protections, the direction taken is going to leverage oslo-incubator openstack common policy checks.
- markwash
Addressed by: https://review.openstack.org/94485
    Restrict users from downloading protected image

Addressed by: https://review.openstack.org/98737
    Restrict users from downloading protected image

Addressed by: https://review.openstack.org/116836
    Syncing policy engine from oslo-incubator

Addressed by: https://review.openstack.org/116978
    Syncing changes from oslo-incubator policy engine

Addressed by: https://review.openstack.org/118646
    Syncing policy engine from oslo-incubator

Gerrit topic: https://review.openstack.org/#q,topic:restrict-downloading-images-protected-properties,n,z

(?)

Work Items

Work items:
Add new rule in policy.json to restrict download of image: DONE
Add method to create dictionary-like mashup of image properties: DONE
Modify v1 and v2 api to restrict download: DONE
Modify logic of caching to restrict download for v1 and v2 api: DONE
Unit tests for coverage: DONE
Sync oslo-incubator policy module with glance: TODO

Nearby

This blueprint contains Public information 
Everyone can see this information.