Thanks for spotting that one Mark! Good catch! I've put together a quick test case and patch for this. https://review.openstack.org/#/c/68420
Thanks again. Tom On Tue, Jan 21, 2014 at 10:48:40PM -0800, Mark Washenberger wrote: > I found the cause. When using role-based protections, instead of stopping > after the first rule that matches, it keeps going. So in your example, the > .* property rule is being applied after the ^foo_property$ rule says "no". > I've determined that we can completely avoid the bug in current deployments > by using "policies" rather than "roles" for the configuration setting > "property_protection_rule_format". > > It should be a very easy fix--the challenge seems to be writing a good test > for it. I went ahead and filed the bug ( > https://bugs.launchpad.net/glance/+bug/1271426) and will have a go at a fix. > > Thanks again for bringing this issue to our attention, Tom! > > > On Tue, Jan 21, 2014 at 3:37 PM, Mark Washenberger < > [email protected]> wrote: > > > > > > > > > On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <[email protected]> wrote: > > > >> I'm looking at a possible bug here but I just want to confirm > >> that I'm not missing something obvious. > >> > >> I'm currently working with Devstack on Ubuntu 12.04 LTS > >> > >> Once Devstack is up and running, I'm creating a file > >> /etc/glance/property-protections.conf as follows: > >> > >> [^foo_property$] > >> create = @ > >> read = @ > >> update = admin > >> delete = admin > >> > >> [.*] > >> create = @ > >> read = @ > >> update = @ > >> delete = @ > >> > >> I'm then referencing this in my glance-api.conf and restarting the glance > >> api service. > >> > >> My understanding is that, as the demo user (which does not have the admin > >> role), I should > >> be able to set foo_property='some_value' but once set, I should not be > >> able to modify or delete it > >> which I currently am able to do. > >> > >> I have tried changing the various operations to '!' and confirmed that > >> those will prevent me from > >> executing those operations (returning 403 as expected). I've also double > >> checked that the demo user > >> has not somehow acquired the admin role. > >> > >> Tom > >> > >> > > I'm seeing the same behavior. I'll keep digging, but meanwhile would you > > be so kind as to file a bug (if you haven't already!) Thanks so much for > > pointing this out. > > > > > >> _______________________________________________ > >> OpenStack-dev mailing list > >> [email protected] > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >> > > > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
