This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 1976057 - [Glance] Policy layer refactoring
Summary: [Glance] Policy layer refactoring
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Alpha
: ---
Assignee: Abhishek Kekane
QA Contact:
RHOS Documentation Team
URL:
Whiteboard:
Depends On:
Blocks: 1976131
TreeView+ depends on / blocked
 
Reported: 2021-06-25 05:48 UTC by Abhishek Kekane
Modified: 2023-11-07 00:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-11-07 00:43:04 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 796753 0 None MERGED Policy layer refactoring 2022-02-17 04:52:29 UTC
OpenStack gerrit 797593 0 None MERGED Spec Lite: Policy tests refactoring 2022-02-17 04:52:31 UTC
Red Hat Issue Tracker OSP-30256 0 None None None 2023-11-07 00:43:56 UTC
Red Hat Issue Tracker   OSP-5445 0 None None None 2023-11-07 00:43:03 UTC

Description Abhishek Kekane 2021-06-25 05:48:30 UTC 
The current policy enforcement occurs in Policy layer. As such, it is conceptually
tied to the objects implemented in the Glance architecture. A problem with this
design, which has only revealed itself as the v2 API has matured, is that operators
want to use policies to control who can make API calls (as they can with most other
OpenStack services). In Glance, however, policies directly affect the objects dealt
with internally by Glance, and only indirectly affect who can make API calls. This
makes it difficult for operators to configure Glance.

So proposal is to move the actual policy enforcement up to the API layer so that an
operator can, for example, easily restrict access to a particular call. Most of the
OpenStack projects have policy enforcements closer to API layer, so these efforts
will also put us more in-line with the current thinking of policy enforcement.
Note You need to log in before you can comment on or make changes to this bug.