fix glance,nova policy to workaround app credential bug (#349)

msherman64 · web-flow · commit dc35f268ac1a · 2025-06-03T14:36:14.000-05:00
* glance: replace reader with member_or_reader
* nova: override reader rule to also accept member

Note: changes can be tested by creating an application credential with only the member role (via openstack application credential create --role member) and seeing if that credential permits openstack image list

changes were tested via dev-in-a-box, but we don't yet have smoke tests for this issue.
diff --git a/site-config/node_custom_config/glance/policy.yaml b/site-config/node_custom_config/glance/policy.yaml
@@ -0,0 +1,18 @@
+---
+member_or_reader: role:member or role:reader
+
+get_image: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))
+get_images: role:admin or (rule:member_or_reader and project_id:%(project_id)s)
+get_image_location: role:admin or (rule:member_or_reader and project_id:%(project_id)s)
+get_member: role:admin or rule:member_or_reader and (project_id:%(project_id)s or project_id:%(member_id)s)
+get_members: role:admin or rule:member_or_reader and (project_id:%(project_id)s or project_id:%(member_id)s)
+get_metadef_namespace: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_namespaces: role:admin or (rule:member_or_reader and project_id:%(project_id)s)
+get_metadef_object: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s)) 
+get_metadef_objects: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+list_metadef_resource_types: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_resource_type: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_property: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_properties: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_tag: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
+get_metadef_tags: role:admin or (rule:member_or_reader and (project_id:%(project_id)s or 'public':%(visibility)s))
diff --git a/site-config/node_custom_config/nova/policy.yaml b/site-config/node_custom_config/nova/policy.yaml
@@ -0,0 +1,3 @@
+# Original: #"project_reader_api": "role:reader and project_id:%(project_id)s"
+# replace due to keystone app credential not honoring implicit roles
+"project_reader_api": "(role:reader or role:member) and project_id:%(project_id)s"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# Original: #"project_reader_api": "role:reader and project_id:%(project_id)s"`
	`2`	`+# replace due to keystone app credential not honoring implicit roles`
	`3`	`+"project_reader_api": "(role:reader or role:member) and project_id:%(project_id)s"`