Change default policy to admin

From: https://review.openstack.org/#/c/309346/ " I investigated the behaviour of the policy file when various policies are removed. A completely empty policy file will return a 403 Forbidden. As the user will not match with any of the policies. However, because glance has the policy ``default: ""``. It means that any policy that is not explicitly stated in the the policy.json, is by default usable by any member. I think that the ``default`` option is a potentially bad thing to have in the policy.json file, due to the ability to give permissions without explicitly stating it. " Therefore we should change ``"default": "",`` to ``"default": "role:admin",``. To make sure that members don't inherit policies that they shouldn't in the future. From a operators perspective it should be more secure to have an opt-in rather than opt-out. Change-Id: I57f9d4791126360079a941c1ff4cb2bbb86298d5 Closes-Bug: 1593177
2016-06-16 10:30:52 +00:00 · 2016-06-16 10:30:52 +00:00 · 969309ffae
parent 5f48788b00
commit 969309ffae
3 changed files with 26 additions and 1 deletions
--- a/etc/policy.json
+++ b/etc/policy.json
@ -1,6 +1,6 @@
 {
    "context_is_admin":  "role:admin",
-    "default": "",
+    "default": "role:admin",

    "add_image": "",
    "delete_image": "",
--- a/glance/tests/unit/test_policy.py
+++ b/glance/tests/unit/test_policy.py
@ -162,6 +162,25 @@ class TestPolicyEnforcer(base.IsolatedUnitTest):
        context = glance.context.RequestContext(roles=[])
        self.assertEqual(False, enforcer.check(context, 'get_image', {}))

+    def test_policy_file_get_image_default_everybody(self):
+        rules = {"default": ''}
+        self.set_policy_rules(rules)
+
+        enforcer = glance.api.policy.Enforcer()
+
+        context = glance.context.RequestContext(roles=[])
+        self.assertEqual(True, enforcer.check(context, 'get_image', {}))
+
+    def test_policy_file_get_image_default_nobody(self):
+        rules = {"default": '!'}
+        self.set_policy_rules(rules)
+
+        enforcer = glance.api.policy.Enforcer()
+
+        context = glance.context.RequestContext(roles=[])
+        self.assertRaises(exception.Forbidden,
+                          enforcer.enforce, context, 'get_image', {})
+

 class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):
    def test_policy_file_specified_but_not_found(self):
--- a/releasenotes/notes/bug-1593177-8ef35458d29ec93c.yaml
+++ b/releasenotes/notes/bug-1593177-8ef35458d29ec93c.yaml
@ -0,0 +1,6 @@
+---
+upgrade:
+  - The ``default`` policy in ``policy.json`` now uses the
+    admin role rather than any role. This is to make the
+    policy file restrictive rather than permissive and
+    tighten security.