diff --git a/etc/policy.json b/etc/policy.json
index f49bc08460..0a058c1c5d 100644
--- a/etc/policy.json
+++ b/etc/policy.json
@@ -1,6 +1,6 @@
 {
     "context_is_admin":  "role:admin",
-    "default": "",
+    "default": "role:admin",
 
     "add_image": "",
     "delete_image": "",
diff --git a/glance/tests/unit/test_policy.py b/glance/tests/unit/test_policy.py
index f987b017a3..5a57729d5d 100644
--- a/glance/tests/unit/test_policy.py
+++ b/glance/tests/unit/test_policy.py
@@ -162,6 +162,25 @@ class TestPolicyEnforcer(base.IsolatedUnitTest):
         context = glance.context.RequestContext(roles=[])
         self.assertEqual(False, enforcer.check(context, 'get_image', {}))
 
+    def test_policy_file_get_image_default_everybody(self):
+        rules = {"default": ''}
+        self.set_policy_rules(rules)
+
+        enforcer = glance.api.policy.Enforcer()
+
+        context = glance.context.RequestContext(roles=[])
+        self.assertEqual(True, enforcer.check(context, 'get_image', {}))
+
+    def test_policy_file_get_image_default_nobody(self):
+        rules = {"default": '!'}
+        self.set_policy_rules(rules)
+
+        enforcer = glance.api.policy.Enforcer()
+
+        context = glance.context.RequestContext(roles=[])
+        self.assertRaises(exception.Forbidden,
+                          enforcer.enforce, context, 'get_image', {})
+
 
 class TestPolicyEnforcerNoFile(base.IsolatedUnitTest):
     def test_policy_file_specified_but_not_found(self):
diff --git a/releasenotes/notes/bug-1593177-8ef35458d29ec93c.yaml b/releasenotes/notes/bug-1593177-8ef35458d29ec93c.yaml
new file mode 100644
index 0000000000..d84ff098f0
--- /dev/null
+++ b/releasenotes/notes/bug-1593177-8ef35458d29ec93c.yaml
@@ -0,0 +1,6 @@
+---
+upgrade:
+  - The ``default`` policy in ``policy.json`` now uses the
+    admin role rather than any role. This is to make the
+    policy file restrictive rather than permissive and
+    tighten security.