[openstack-dev] [Glance] Property protections not being enforced?
Tom Leaman
tom at tomleaman.co.uk
Mon Jan 20 14:02:15 UTC 2014
I'm looking at a possible bug here but I just want to confirm
that I'm not missing something obvious.
I'm currently working with Devstack on Ubuntu 12.04 LTS
Once Devstack is up and running, I'm creating a file /etc/glance/property-protections.conf as follows:
[^foo_property$]
create = @
read = @
update = admin
delete = admin
[.*]
create = @
read = @
update = @
delete = @
I'm then referencing this in my glance-api.conf and restarting the glance api service.
My understanding is that, as the demo user (which does not have the admin role), I should
be able to set foo_property='some_value' but once set, I should not be able to modify or delete it
which I currently am able to do.
I have tried changing the various operations to '!' and confirmed that those will prevent me from
executing those operations (returning 403 as expected). I've also double checked that the demo user
has not somehow acquired the admin role.
Tom
More information about the OpenStack-dev
mailing list