[openstack-dev] [Glance] Property protections not being enforced?
Mark Washenberger
mark.washenberger at markwash.net
Wed Jan 22 06:48:40 UTC 2014
I found the cause. When using role-based protections, instead of stopping
after the first rule that matches, it keeps going. So in your example, the
.* property rule is being applied after the ^foo_property$ rule says "no".
I've determined that we can completely avoid the bug in current deployments
by using "policies" rather than "roles" for the configuration setting
"property_protection_rule_format".
It should be a very easy fix--the challenge seems to be writing a good test
for it. I went ahead and filed the bug (
https://bugs.launchpad.net/glance/+bug/1271426) and will have a go at a fix.
Thanks again for bringing this issue to our attention, Tom!
On Tue, Jan 21, 2014 at 3:37 PM, Mark Washenberger <
mark.washenberger at markwash.net> wrote:
>
>
>
> On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <tom at tomleaman.co.uk> wrote:
>
>> I'm looking at a possible bug here but I just want to confirm
>> that I'm not missing something obvious.
>>
>> I'm currently working with Devstack on Ubuntu 12.04 LTS
>>
>> Once Devstack is up and running, I'm creating a file
>> /etc/glance/property-protections.conf as follows:
>>
>> [^foo_property$]
>> create = @
>> read = @
>> update = admin
>> delete = admin
>>
>> [.*]
>> create = @
>> read = @
>> update = @
>> delete = @
>>
>> I'm then referencing this in my glance-api.conf and restarting the glance
>> api service.
>>
>> My understanding is that, as the demo user (which does not have the admin
>> role), I should
>> be able to set foo_property='some_value' but once set, I should not be
>> able to modify or delete it
>> which I currently am able to do.
>>
>> I have tried changing the various operations to '!' and confirmed that
>> those will prevent me from
>> executing those operations (returning 403 as expected). I've also double
>> checked that the demo user
>> has not somehow acquired the admin role.
>>
>> Tom
>>
>>
> I'm seeing the same behavior. I'll keep digging, but meanwhile would you
> be so kind as to file a bug (if you haven't already!) Thanks so much for
> pointing this out.
>
>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140121/1e5cdc6f/attachment.html>
More information about the OpenStack-dev
mailing list