[openstack-dev] [Glance] Property protections not being enforced?

Mark Washenberger mark.washenberger at markwash.net
Tue Jan 21 23:37:23 UTC 2014


On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <tom at tomleaman.co.uk> wrote:

> I'm looking at a possible bug here but I just want to confirm
> that I'm not missing something obvious.
>
> I'm currently working with Devstack on Ubuntu 12.04 LTS
>
> Once Devstack is up and running, I'm creating a file
> /etc/glance/property-protections.conf as follows:
>
> [^foo_property$]
> create = @
> read = @
> update = admin
> delete = admin
>
> [.*]
> create = @
> read = @
> update = @
> delete = @
>
> I'm then referencing this in my glance-api.conf and restarting the glance
> api service.
>
> My understanding is that, as the demo user (which does not have the admin
> role), I should
> be able to set foo_property='some_value' but once set, I should not be
> able to modify or delete it
> which I currently am able to do.
>
> I have tried changing the various operations to '!' and confirmed that
> those will prevent me from
> executing those operations (returning 403 as expected). I've also double
> checked that the demo user
> has not somehow acquired the admin role.
>
> Tom
>
>
I'm seeing the same behavior. I'll keep digging, but meanwhile would you be
so kind as to file a bug (if you haven't already!) Thanks so much for
pointing this out.


> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140121/71a720cd/attachment.html>


More information about the OpenStack-dev mailing list