From eaf2e00b36e011d5ad13f7f0e71737a0db293f57 Mon Sep 17 00:00:00 2001
From: Kevin Carter <kevin.carter@rackspace.com>
Date: Fri, 12 Sep 2025 10:22:25 -0500
Subject: [PATCH] fix: tweak glance policy to allow for intra-service image
 download

Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
---
 base-helm-configs/glance/glance-helm-overrides.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/base-helm-configs/glance/glance-helm-overrides.yaml b/base-helm-configs/glance/glance-helm-overrides.yaml
index 00dc4457..a4c8602d 100644
--- a/base-helm-configs/glance/glance-helm-overrides.yaml
+++ b/base-helm-configs/glance/glance-helm-overrides.yaml
@@ -123,7 +123,9 @@ conf:
     "default": "role:admin or role:glance_admin"
     "context_is_admin": "role:admin or role:glance_admin"
     "publicize_image": "role:glance_admin"
-    "download_image": rule:context_is_admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s))
+    "communitize_image": "role:glance_admin"
+    "download_image": "role:service or role:glance_admin or rule:context_is_admin or rule:service_api or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
+    "get_image": "role:service or role:glance_admin or rule:context_is_admin or rule:service_api or (role:reader and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))"
   logging:
     logger_root:
       level: INFO