[openstack-dev] [Glance] Property protections not being enforced?

Tom Leaman tom at tomleaman.co.uk
Wed Jan 22 16:45:10 UTC 2014


Thanks for spotting that one Mark! Good catch!

I've put together a quick test case and patch for this.
https://review.openstack.org/#/c/68420

Thanks again.
Tom

On Tue, Jan 21, 2014 at 10:48:40PM -0800, Mark Washenberger wrote:
> I found the cause. When using role-based protections, instead of stopping
> after the first rule that matches, it keeps going. So in your example, the
> .* property rule is being applied after the ^foo_property$ rule says "no".
> I've determined that we can completely avoid the bug in current deployments
> by using "policies" rather than "roles" for the configuration setting
> "property_protection_rule_format".
> 
> It should be a very easy fix--the challenge seems to be writing a good test
> for it. I went ahead and filed the bug (
> https://bugs.launchpad.net/glance/+bug/1271426) and will have a go at a fix.
> 
> Thanks again for bringing this issue to our attention, Tom!
> 
> 
> On Tue, Jan 21, 2014 at 3:37 PM, Mark Washenberger <
> mark.washenberger at markwash.net> wrote:
> 
> >
> >
> >
> > On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <tom at tomleaman.co.uk> wrote:
> >
> >> I'm looking at a possible bug here but I just want to confirm
> >> that I'm not missing something obvious.
> >>
> >> I'm currently working with Devstack on Ubuntu 12.04 LTS
> >>
> >> Once Devstack is up and running, I'm creating a file
> >> /etc/glance/property-protections.conf as follows:
> >>
> >> [^foo_property$]
> >> create = @
> >> read = @
> >> update = admin
> >> delete = admin
> >>
> >> [.*]
> >> create = @
> >> read = @
> >> update = @
> >> delete = @
> >>
> >> I'm then referencing this in my glance-api.conf and restarting the glance
> >> api service.
> >>
> >> My understanding is that, as the demo user (which does not have the admin
> >> role), I should
> >> be able to set foo_property='some_value' but once set, I should not be
> >> able to modify or delete it
> >> which I currently am able to do.
> >>
> >> I have tried changing the various operations to '!' and confirmed that
> >> those will prevent me from
> >> executing those operations (returning 403 as expected). I've also double
> >> checked that the demo user
> >> has not somehow acquired the admin role.
> >>
> >> Tom
> >>
> >>
> > I'm seeing the same behavior. I'll keep digging, but meanwhile would you
> > be so kind as to file a bug (if you haven't already!) Thanks so much for
> > pointing this out.
> >
> >
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >

> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list