20
Glance's API calls may be restricted to certain sets of users using
21
a Policy configuration file.
23
This document explains exactly how policies work and how the policy
24
configuration file is constructed.
29
A policy is composed of a set of rules that are used by the Policy "Brain"
30
in determining if a particular action may be performed by a particular
20
Glance's public API calls may be restricted to certain sets of users using a
21
policy configuration file. This document explains exactly how policies are
22
configured and what they apply to.
24
A policy is composed of a set of rules that are used by the policy "Brain" in
25
determining if a particular action may be performed by the authorized tenant.
33
27
Constructing a Policy Configuration File
34
28
----------------------------------------
36
Policy configuration files are simply serialized JSON dictionaries that
37
contain sets of rules. Each top-level key is the name of a rule. Each rule
30
A policy configuration file is a simply JSON object that contain sets of
31
rules. Each top-level key is the name of a rule. Each rule
38
32
is a string that describes an action that may be performed in the Glance API.
40
34
The actions that may have a rule enforced on them are:
42
* ``get_images`` - Allowed to call the ``GET /images`` and
43
``GET /images/detail`` API calls
45
* ``get_image`` - Allowed to call the ``HEAD /images/<IMAGE_ID>`` and
46
``GET /images/<IMAGE_ID>`` API calls
48
* ``add_image`` - Allowed to call the ``POST /images`` API call
50
* ``modify_image`` - Allowed to call the ``PUT /images/<IMAGE_ID>`` API call
52
* ``publicize_image`` - Allowed to create or update images with attribute ``is_public=true``
54
* ``delete_image`` - Allowed to call the ``DELETE /images/<IMAGE_ID>`` API call
36
* ``get_images`` - List available image entities
39
* ``GET /v1/images/detail``
42
* ``get_image`` - Retrieve a specific image entity
44
* ``HEAD /v1/images/<IMAGE_ID>``
45
* ``GET /v1/images/<IMAGE_ID>``
46
* ``GET /v2/images/<IMAGE_ID>``
48
* ``download_image`` - Download binary image data
50
* ``GET /v1/images/<IMAGE_ID>``
51
* ``GET /v2/images/<IMAGE_ID>/file``
53
* ``add_image`` - Create an image entity
58
* ``modify_image`` - Update an image entity
60
* ``PUT /v1/images/<IMAGE_ID>``
61
* ``PUT /v2/images/<IMAGE_ID>``
63
* ``publicize_image`` - Create or update images with attribute
65
* ``POST /v1/images`` with attribute ``is_public`` = ``true``
66
* ``PUT /v1/images/<IMAGE_ID>`` with attribute ``is_public`` = ``true``
67
* ``POST /v2/images`` with attribute ``visibility`` = ``public``
68
* ``PUT /v2/images/<IMAGE_ID>`` with attribute ``visibility`` = ``public``
70
* ``delete_image`` - Delete an image entity and associated binary data
72
* ``DELETE /v1/images/<IMAGE_ID>``
73
* ``DELETE /v2/images/<IMAGE_ID>``
56
75
* ``manage_image_cache`` - Allowed to use the image cache management API