Bug 1976057

Summary: [Glance] Policy layer refactoring
Product: Red Hat OpenStack Reporter: Abhishek Kekane <akekane>
Component: openstack-glanceAssignee: Abhishek Kekane <akekane>
Status: CLOSED MIGRATED QA Contact:
Severity: high Docs Contact: RHOS Documentation Team <rhos-docs>
Priority: high    
Version: unspecifiedCC: athomas, cyril, eglynn, gcharot
Target Milestone: AlphaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-07 00:43:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1976131    

Description Abhishek Kekane 2021-06-25 05:48:30 UTC 
The current policy enforcement occurs in Policy layer. As such, it is conceptually
tied to the objects implemented in the Glance architecture. A problem with this
design, which has only revealed itself as the v2 API has matured, is that operators
want to use policies to control who can make API calls (as they can with most other
OpenStack services). In Glance, however, policies directly affect the objects dealt
with internally by Glance, and only indirectly affect who can make API calls. This
makes it difficult for operators to configure Glance.

So proposal is to move the actual policy enforcement up to the API layer so that an
operator can, for example, easily restrict access to a particular call. Most of the
OpenStack projects have policy enforcements closer to API layer, so these efforts
will also put us more in-line with the current thinking of policy enforcement.