Editing 2 lines in above policy definition:
resulted in another weird behavior. With those adjustments, an
"openstack image list" or "openstack image show <image_id>" on the
command line executed as the global admin succeeded. On the dashboard
(Horizon) on the other hand, only listing them was possible. Trying to
display their details resulted in an error.
Digging through the logs and code, I stumbled on an image target object
that is inspected for the policy enforcement, see here:
Hacking the code to put some more debugging output into the logs, I
peeked into this "ImageTarget(image)" object, which also contains a
".target.context" attribute wrapped into it. Although this "context"
attribute does contain seemingly relevant user data, its contents _do
actually differ depending on the logged in user_.
My interpretation was that the context of the image target should be
static (representing the owner/project it actually belongs to) and that
this is in turn matched against the dynamic "self.context" dict
(representing currently logged in user) according to the policies
defined, something along the lines of:
self.context (e.g. project_id) ---[policy check against]--->
ImageTarget(image) (e.g. project_id)
However "ImageTarget(image)" seems to contain context that is not
actually related to the image but differs per logged in user.
Did I misinterpret the policy definitions and/or the code related to it?
How are policies like these actually supposed to be defined in Glance?
-------------- next part --------------
An HTML attachment was scrubbed...