Changing glance policy to allow a non-admin user to make images public.¶

Note: My testing was done an openstack aio at 172.23.0.23 (aio1) in my homelab.

Download a cirros image¶

wget http://download.cirros-cloud.net/0.6.2/cirros-0.6.2-x86_64-disk.img

As the admin user create a private and a public image from the downloaded cirros file:¶

openstack image create --file cirros-0.6.2-x86_64-disk.img cirros-private
openstack image create --public --file cirros-0.6.2-x86_64-disk.img cirros-public
openstack image list --long

+--------------------------------------+----------------+-------------+------------------+----------+----------------------------------+--------+------------+-----------+----------------------------------+------+
| ID                                   | Name           | Disk Format | Container Format |     Size | Checksum                         | Status | Visibility | Protected | Project                          | Tags |
+--------------------------------------+----------------+-------------+------------------+----------+----------------------------------+--------+------------+-----------+----------------------------------+------+
| d07be115-f274-4289-b941-c0c77684ace9 | cirros-private | raw         | bare             | 21430272 | c8fc807773e5354afe61636071771906 | active | shared     | False     | 2c9aa0da15094458aabda7d826f78e52 |      |
| cd2828d0-f8c4-4d77-bbb5-ec3cf13b81ea | cirros-public  | raw         | bare             | 21430272 | c8fc807773e5354afe61636071771906 | active | public     | False     | 2c9aa0da15094458aabda7d826f78e52 |      |
+--------------------------------------+----------------+-------------+------------------+----------+----------------------------------+--------+------------+-----------+----------------------------------+------+

Create a test project¶

openstack project create testglance

Create two test users - tg-poweruser and tg-user¶

openstack user create --password tg-user tg-user
openstack user create --password tg-glance-admin tg-glance-admin

Make them both members of the test project¶

openstack role add --user tg-user --project testglance member
openstack role add --user tg-glance-admin --project testglance member

Create a keystone role: glance-power-user¶

openstack role create glance-power-user

Give the tg-poweruser the glance-power-user role¶

openstack role add --user tg-glance-admin --project testglance glance-power-user

Confirm that both users can create private images in the test project¶

source tg-userrc.sh 
openstack image create --file cirros-0.6.2-x86_64-disk.img cirros-private

source tg-glance-adminrc.sh 
openstack image create --file cirros-0.6.2-x86_64-disk.img cirros-private-ga-private

openstack image list
+--------------------------------------+---------------------------+--------+
| ID                                   | Name                      | Status |
+--------------------------------------+---------------------------+--------+
| 7db0d2b0-bfb2-4009-aa63-f1781797175e | cirros-private            | active |
| ecb7c037-1d21-4241-8136-641120fcc444 | cirros-private-ga-private | active |
| cd2828d0-f8c4-4d77-bbb5-ec3cf13b81ea | cirros-public             | active | <== created by admin user 
+--------------------------------------+---------------------------+--------+

Confirm that neither user can make an image public¶

openstack image create --public --file cirros-0.6.2-x86_64-disk.img cirros-private-ga-public
HTTP 403 Forbidden: You are not authorized to complete publicize_image action.

source tg-userrc.sh 
openstack image create --public --file cirros-0.6.2-x86_64-disk.img cirros-private-public
HTTP 403 Forbidden: You are not authorized to complete publicize_image action.

Generate a new policy.json file if needed¶

According to the documentation policy files live in /var/lib/config-data/puppet-generated/$service/etc/$service/policy.json so for glance that would be /var/lib/config-data/puppet-generated/glance_api/etc/glance/ (the glance_api is confusing, but hopefully correct)

Looking in that directory did not show any policy.json files

Searching for policy.json in /var/lib/config-data shows:

$ sudo find /var/lib/config-data/ -name policy.json
/var/lib/config-data/glance_api/etc/glance/policy.json
/var/lib/config-data/keystone/etc/keystone/policy.json
/var/lib/config-data/nova_libvirt/etc/nova/policy.json
/var/lib/config-data/nova/etc/nova/policy.json
/var/lib/config-data/nova_metadata/etc/nova/policy.json
/var/lib/config-data/placement/etc/placement/policy.json

These are not in the puppet-generated directory, so I tried modifying the existing /var/lib/config-data/glance_api/etc/glance/policy.json rather than creating a new one. This does not work. The changes will not be present in the container after a restart.

Before making any changes I will backup the current file.

sudo cp /var/lib/config-data/glance_api/etc/glance/policy.json ~stack/glance_policy.json.bak

If there is no existing policy.json for glance one can be generated using:¶

sudo podman exec -it glance_api oslopolicy-policy-generator --namespace glance

Redirect the output to a file to save it e.g.

sudo podman exec -it glance_api oslopolicy-policy-generator --namespace glance > /var/lib/config-data/puppet-generated/glance_api/etc/glance/policy.json

Add the ability to publicize and image to the glance-power-user role¶

Now edit the policy.json file in the puppet-generated directory. Editing the exisitng policy file at /var/lib/config-data/glance_api/etc/glance/policy.json will not work.

Set group permissions¶

Make sure the file is readable by the group that the glance_api containers uses or you will get 500 errors

Check existing permissions on the current policy.json file:

# ls -l /var/lib/config-data/glance_api/etc/glance/policy.json 
-rw-r-----. 1 root 42415 1414 Jan 11 10:07 /var/lib/config-data/glance_api/etc/glance/policy.json

Set the permissions on the new file the same.(Probably should be smarter than just copying the existing numeric id, but this will do for now)

# chown 42415.42415 /var/lib/config-data/puppet-generated/glance_api/etc/glance/policy.json
[root@aio-1 ~]# ls -l /var/lib/config-data/puppet-generated/glance_api/etc/glance/policy.json 
-rw-r-----. 1 42415 42415 1388 Jan 11 10:38 /var/lib/config-data/puppet-generated/glance_api/etc/glance/policy.json

Edit the file:

sudo vi /var/lib/config-data/glance_api/etc/glance/policy.json

Change the line

    "publicize_image": "role:admin",

    "publicize_image": "role:admin or role:glance-power-user",

restart glance with the new policy.json file

sudo podman restart glance_api

Confirm that the admin user can still create public images¶

source adminrc.sh
openstack image create --public --file cirros-0.6.2-x86_64-disk.img cirros-public2

Confirm that the tg-user still cannot make an image public¶

$ source tg-userrc.sh 
[stack@aio-1 testglance]$ openstack image set --public cirros-private-ga-private 
HTTP 403 Forbidden: You are not authorized to complete publicize_image action.

Confirm that the tg-power-user can now make an image public.¶

$ source tg-glance-adminrc.sh 
$ openstack image set --public cirros-private-ga-private 
$ echo $?
0

Success!

Files (0)

Project

General

Profile

Glance Policy

Wiki