glance.api.v2.policy module

class glance.api.v2.policy.APIPolicyBase(context, target=None, enforcer=None)[source]

Bases: object

check(name, *args)[source]

Perform a soft check of a named policy.

This is used when you need to check if a policy is allowed for the given resource, without needing to catch an exception. If the policy check requires args, those are accepted here as well.

Parameters:

name – Policy name to check

Returns:

bool indicating if the policy is allowed.

class glance.api.v2.policy.CacheImageAPIPolicy(context, image=None, policy_str=None, target=None, enforcer=None)[source]

Bases: APIPolicyBase

manage_image_cache()[source]
class glance.api.v2.policy.DiscoveryAPIPolicy(context, target=None, enforcer=None)[source]

Bases: APIPolicyBase

stores_info_detail()[source]
class glance.api.v2.policy.ImageAPIPolicy(context, image, enforcer=None)[source]

Bases: APIPolicyBase

add_image()[source]
check(name, *args)[source]

Perform a soft check of a named policy.

This is used when you need to check if a policy is allowed for the given resource, without needing to catch an exception. If the policy check requires args, those are accepted here as well.

Parameters:

name – Policy name to check

Returns:

bool indicating if the policy is allowed.

copy_image()[source]
deactivate_image()[source]
delete_image()[source]
delete_locations()[source]
download_image()[source]
get_image()[source]
get_image_location()[source]
get_images()[source]
property is_created

Signal whether the image actually exists or not.

False if the image is only being proposed by a create operation, True if it has already been created.

modify_image()[source]
reactivate_image()[source]
update_locations()[source]
update_property(name, value=None)[source]
upload_image()[source]
class glance.api.v2.policy.MemberAPIPolicy(context, image, target=None, enforcer=None)[source]

Bases: APIPolicyBase

add_member()[source]
delete_member()[source]
get_member()[source]
get_members()[source]
modify_member()[source]
class glance.api.v2.policy.MetadefAPIPolicy(context, md_resource=None, target=None, enforcer=None)[source]

Bases: APIPolicyBase

add_metadef_namespace()[source]
add_metadef_object()[source]
add_metadef_property()[source]
add_metadef_resource_type_association()[source]
add_metadef_tag()[source]
add_metadef_tags()[source]
check(name, *args)[source]

Perform a soft check of a named policy.

This is used when you need to check if a policy is allowed for the given resource, without needing to catch an exception. If the policy check requires args, those are accepted here as well.

Parameters:

name – Policy name to check

Returns:

bool indicating if the policy is allowed.

delete_metadef_namespace()[source]
delete_metadef_object()[source]
delete_metadef_tag()[source]
delete_metadef_tags()[source]
get_metadef_namespace()[source]
get_metadef_namespaces()[source]
get_metadef_object()[source]
get_metadef_objects()[source]
get_metadef_properties()[source]
get_metadef_property()[source]
get_metadef_resource_type()[source]
get_metadef_tag()[source]
get_metadef_tags()[source]
list_metadef_resource_types()[source]
modify_metadef_namespace()[source]
modify_metadef_object()[source]
modify_metadef_property()[source]
modify_metadef_tag()[source]
remove_metadef_property()[source]
remove_metadef_resource_type_association()[source]
class glance.api.v2.policy.TasksAPIPolicy(context, target=None, enforcer=None)[source]

Bases: APIPolicyBase

tasks_api_access()[source]
glance.api.v2.policy.check_admin_or_same_owner(context, properties)[source]

Check that legacy behavior on create with owner is preserved.

Legacy behavior requires a static check that owner is not inconsistent with the context, unless the caller is an admin. Enforce that here, if needed.

Parameters:

  • context – A RequestContext

  • properties – The properties being used to create the image, which may contain an owner

Raises:

exception.Forbidden if the context is not an admin and owner is set to something other than the context’s project

glance.api.v2.policy.check_is_image_mutable(context, image)[source]

Replicate the DB-layer admin-or-owner check for the API.

Much of the API code depends on hard-coded admin-or-owner enforcement in the DB or authorization layer, as the policy layer is largely a no-op by default. During blueprint policy-refactor, we are trying to remove as much of that as possible, but in certain places we need to do that (if secure_rbac is not enabled). This transitional helper provides a way to do that enforcement where necessary.

Parameters:

  • context – A RequestContext

  • image – An ImageProxy

Raises:

exception.Forbidden if the context is not the owner or an admin