Glance Policies
Introduction
This document presents the permissions available for reader and member roles on the Glance service (image management) of Infomaniak Public Cloud, based on OpenStack default policies.
Context
Application Credentials must be created with the appropriate role according to functional needs. This matrix helps you choose the right role.
Legend
| Symbol | Meaning |
|---|---|
 |
Allowed - The policy explicitly permits this action |
 |
Forbidden - The policy explicitly denies this action |
 |
Conditional - Allowed based on visibility or project membership |
Main Image Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List images | GET /v2/images |
get_images |
|
|
Project only |
| Show image | GET /v2/images/{id} |
get_image |
|
|
Based on visibility* |
| Create image | POST /v2/images |
add_image |
|
|
Project owner |
| Update image | PATCH /v2/images/{id} |
modify_image |
|
|
Project owner |
| Delete image | DELETE /v2/images/{id} |
delete_image |
|
|
Project owner |
*Visibility rules: project owner, explicit member, public image, or shared image
Image Data Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Download image | GET /v2/images/{id}/file |
download_image |
|
|
Based on visibility* |
| Upload data | PUT /v2/images/{id}/file |
upload_image |
|
|
Project owner |
*Visibility rules: project owner, explicit member, public image, or shared image
Visibility Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Make community | PATCH /v2/images/{id} |
communitize_image |
|
|
Project owner |
Infomaniak Specificity
The community visibility is not supported on Infomaniak Public Cloud. Attempts to create community images will fail.
Location Management
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Get location | GET /v2/images/{id} |
get_image_location |
|
|
Project only |
| Set location | PATCH /v2/images/{id} |
set_image_location |
|
|
Project owner |
Member Management (Sharing)
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| List members | GET /v2/images/{id}/members |
get_members |
|
|
Project or member |
| Show member | GET /v2/images/{id}/members/{member_id} |
get_member |
|
|
Project or target member |
| Add member | POST /v2/images/{id}/members |
add_member |
|
|
Project owner |
| Update member | PUT /v2/images/{id}/members/{member_id} |
modify_member |
|
|
Target member |
| Remove member | DELETE /v2/images/{id}/members/{member_id} |
delete_member |
|
|
Project owner |
Image Actions
| Operation | Endpoint | Policy | Reader | Member | Conditions |
|---|---|---|---|---|---|
| Deactivate image | POST /v2/images/{id}/actions/deactivate |
deactivate |
|
|
Project owner |
| Reactivate image | POST /v2/images/{id}/actions/reactivate |
reactivate |
|
|
Project owner |
Capabilities Summary by Role
Granted permissions:
- View project images
- View public and shared images
- Download authorized images
- View locations and metadata
- View image members
Limitations:
- No creation or modification actions
- No sharing management
Granted permissions:
- All Reader capabilities
- Create images in the project
- Modify and delete project images
- Upload image data
- Manage project image members
- Set locations
- Activate/deactivate images
Limitations:
- No visibility changes to public
- Limited to project-scoped operations
Usage Examples
Image Consultation Application
Use case: Monitoring or read-only dashboard
Recommended role: reader
# Application Credential
role: reader
# Possible actions
- openstack image list
- openstack image show <image-id>
- openstack image save <image-id>
Image Management Application
Use case: CI/CD, automated deployment
Recommended role: member
# Application Credential
role: member
# Possible actions
- openstack image create --file my-image.qcow2 my-app-v1.0
- openstack image set --property version=1.0 <image-id>
- openstack image add project <image-id> <target-project>
Context Variables
Policies use the following variables to determine authorizations:
| Variable | Description |
|---|---|
%(project_id)s |
Current user's project ID |
%(owner)s |
Image owner ID |
%(member_id)s |
Target member ID in sharing operations |
%(visibility)s |
Image visibility level |
Important Notes
Best Practices
- Principle of least privilege: Use the
readerrole if you only need to view images - Project isolation: Members can only manage images from their project
- Application Credentials management: Create specific credentials per use case