From 00fd19b7012d837c555217fc1440b1207f8a1cbd Mon Sep 17 00:00:00 2001
From: Sean Pryor <spryor@redhat.com>
Date: Wed, 15 Nov 2017 13:07:37 -0500
Subject: Draft of Glance policy

Change-Id: I97c1227e39b77705703a17d3928882c488f49c91
---
 etc/glance/policy.json | 96 +++++++++++++++++++++++++++-----------------------
 1 file changed, 51 insertions(+), 45 deletions(-)

diff --git a/etc/glance/policy.json b/etc/glance/policy.json
index 0a058c1..161ee6c 100644
--- a/etc/glance/policy.json
+++ b/etc/glance/policy.json
@@ -1,27 +1,33 @@
 {
-    "context_is_admin":  "role:admin",
+    "readonly": "(project_id:%(project_id)s and role:readonly)",
+    "global_readonly": "(role:global_readonly)",
+    "_member_role": "(role:member or role:_member_)",
+    "member": "(project_id:%(project_id)s and rule:_member_role)",
+    "admin": "(is_admin:True or role:admin)",
+    "owner": "(user_id:%(user_id)s and rule:_member_role)",
+
     "default": "role:admin",
 
-    "add_image": "",
-    "delete_image": "",
-    "get_image": "",
-    "get_images": "",
-    "modify_image": "",
-    "publicize_image": "role:admin",
-    "copy_from": "",
+    "add_image": "rule:admin or rule:member",
+    "delete_image": "rule:admin or rule:member or rule:owner",
+    "get_image": "rule:admin or rule:member or rule:readonly",
+    "get_images": "rule:admin or rule:member or rule:readonly",
+    "modify_image": "rule:admin or rule:member",
+    "publicize_image": "rule:admin",
+    "copy_from": "rule:admin or rule:member",
 
-    "download_image": "",
-    "upload_image": "",
+    "download_image": "rule:admin or rule:member",
+    "upload_image": "rule:admin or rule:member",
 
-    "delete_image_location": "",
-    "get_image_location": "",
-    "set_image_location": "",
+    "delete_image_location": "rule:admin or rule:member",
+    "get_image_location": "rule:admin or rule:member",
+    "set_image_location": "rule:admin or rule:member",
 
-    "add_member": "",
-    "delete_member": "",
-    "get_member": "",
-    "get_members": "",
-    "modify_member": "",
+    "add_member": "rule:admin or rule:member",
+    "delete_member": "rule:admin or rule:member",
+    "get_member": "rule:admin or rule:member or rule:readonly",
+    "get_members": "rule:admin or rule:member or rule:readonly",
+    "modify_member": "rule:admin or rule:member",
 
     "manage_image_cache": "role:admin",
 
@@ -30,32 +36,32 @@
     "add_task": "role:admin",
     "modify_task": "role:admin",
 
-    "deactivate": "",
-    "reactivate": "",
-
-    "get_metadef_namespace": "",
-    "get_metadef_namespaces":"",
-    "modify_metadef_namespace":"",
-    "add_metadef_namespace":"",
-
-    "get_metadef_object":"",
-    "get_metadef_objects":"",
-    "modify_metadef_object":"",
-    "add_metadef_object":"",
-
-    "list_metadef_resource_types":"",
-    "get_metadef_resource_type":"",
-    "add_metadef_resource_type_association":"",
-
-    "get_metadef_property":"",
-    "get_metadef_properties":"",
-    "modify_metadef_property":"",
-    "add_metadef_property":"",
-
-    "get_metadef_tag":"",
-    "get_metadef_tags":"",
-    "modify_metadef_tag":"",
-    "add_metadef_tag":"",
-    "add_metadef_tags":""
+    "deactivate": "rule:admin or rule:member",
+    "reactivate": "rule:admin or rule:member",
+
+    "get_metadef_namespace": "rule:admin or rule:member or rule:readonly",
+    "get_metadef_namespaces":"rule:admin or rule:member or rule:readonly",
+    "modify_metadef_namespace":"rule:admin or rule:member",
+    "add_metadef_namespace":"rule:admin or rule:member",
+
+    "get_metadef_object":"rule:admin or rule:member or rule:readonly",
+    "get_metadef_objects":"rule:admin or rule:member or rule:readonly",
+    "modify_metadef_object":"rule:admin or rule:member",
+    "add_metadef_object":"rule:admin or rule:member",
+
+    "list_metadef_resource_types":"rule:admin or rule:member or rule:readonly",
+    "get_metadef_resource_type":"rule:admin or rule:member or rule:readonly",
+    "add_metadef_resource_type_association":"rule:admin or rule:member",
+
+    "get_metadef_property":"rule:admin or rule:member or rule:readonly",
+    "get_metadef_properties":"rule:admin or rule:member or rule:readonly",
+    "modify_metadef_property":"rule:admin or rule:member",
+    "add_metadef_property":"rule:admin or rule:member",
+
+    "get_metadef_tag":"rule:admin or rule:member or rule:readonly",
+    "get_metadef_tags":"rule:admin or rule:member or rule:readonly",
+    "modify_metadef_tag":"rule:admin or rule:member",
+    "add_metadef_tag":"rule:admin or rule:member",
+    "add_metadef_tags":"rule:admin or rule:member"
 
 }
-- 
cgit