** Changed in: glance/juno Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1387973
Title: Normal user not able to download image if protected property is not associated with the image with restrict-download policy Status in OpenStack Image Registry and Delivery Service (Glance): In Progress Status in Glance juno series: Fix Released Bug description: If restrict download rule is configured in policy.json, and image is added without protected property mentioned in "restricted" rule, then normal users (other than admin) not able to download the image. Steps to reproduce: 1. Create normal_user with _member_ role using horizon 2. Configure download rule in policy.json "download_image": "role:admin or rule:restricted", "restricted": "not ('test_1234':%(test_key)s and role:_member_)", 3. Restart glance-api service 4. create image without property 'test_key' with admin user i. source devstack/openrc admin admin ii. glance image-create iii. glance image-update <image_id> --name non_protected --disk-format qcow2 --container-format bare --is-public True --file /home/openstack/api.log 5. Try to download the newly created image with normal_user. i. source devstack/openrc normal_user admin ii. glance image-download <image_id> It returns 403 Forbidden response to the user, where as admin user can download the image successfully. Expected behavior is all users can download the images if restricted property is not added. Note: https://review.openstack.org/#/c/127923/ The above policy sync patch will solve this issue for Kilo. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1387973/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp