<div dir="ltr">I found the cause. When using role-based protections, instead of stopping after the first rule that matches, it keeps going. So in your example, the .* property rule is being applied after the ^foo_property$ rule says "no". I've determined that we can completely avoid the bug in current deployments by using "policies" rather than "roles" for the configuration setting "property_protection_rule_format".<div>
<br></div><div>It should be a very easy fix--the challenge seems to be writing a good test for it. I went ahead and filed the bug (<a href="https://bugs.launchpad.net/glance/+bug/1271426">https://bugs.launchpad.net/glance/+bug/1271426</a>) and will have a go at a fix.</div>
<div><br></div><div>Thanks again for bringing this issue to our attention, Tom!<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Jan 21, 2014 at 3:37 PM, Mark Washenberger <span dir="ltr"><<a href="mailto:mark.washenberger@markwash.net" target="_blank">mark.washenberger@markwash.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">
<div>On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <span dir="ltr"><<a href="mailto:tom@tomleaman.co.uk" target="_blank">tom@tomleaman.co.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I'm looking at a possible bug here but I just want to confirm<br>
that I'm not missing something obvious.<br>
<br>
I'm currently working with Devstack on Ubuntu 12.04 LTS<br>
<br>
Once Devstack is up and running, I'm creating a file /etc/glance/property-protections.conf as follows:<br>
<br>
[^foo_property$]<br>
create = @<br>
read = @<br>
update = admin<br>
delete = admin<br>
<br>
[.*]<br>
create = @<br>
read = @<br>
update = @<br>
delete = @<br>
<br>
I'm then referencing this in my glance-api.conf and restarting the glance api service.<br>
<br>
My understanding is that, as the demo user (which does not have the admin role), I should<br>
be able to set foo_property='some_value' but once set, I should not be able to modify or delete it<br>
which I currently am able to do.<br>
<br>
I have tried changing the various operations to '!' and confirmed that those will prevent me from<br>
executing those operations (returning 403 as expected). I've also double checked that the demo user<br>
has not somehow acquired the admin role.<br>
<br>
Tom<br>
<br></blockquote><div><br></div></div><div>I'm seeing the same behavior. I'll keep digging, but meanwhile would you be so kind as to file a bug (if you haven't already!) Thanks so much for pointing this out.</div>
<div><div>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div></div><br></div></div>
</blockquote></div><br></div></div></div>