Public bug reported:
From: https://review.openstack.org/#/c/309346/
"
I investigated the behaviour of the policy file when various policies are
removed.
A completely empty policy file will return a 403 Forbidden. As the user
will not match with any of the policies.
However, because glance has the policy ``default: ""``. It means that any
policy that is not explicitly stated in the the policy.json, is by default
usable by any member. I think that the ``default`` option is a potentially bad
thing to have in the policy.json file, due to the ability to give permissions
without explicitly stating it.
"
Therefore we should change ``"default": "",`` to ``"default": "role:admin",``.
To make sure that members don't inherit policies that they shouldn't in the
future. From a operators perspective it should be more secure to have an opt-in
rather than opt-out.
** Affects: glance
Importance: Undecided
Assignee: Niall Bunting (niall-bunting)
Status: In Progress
** Changed in: glance
Assignee: (unassigned) => Niall Bunting (niall-bunting)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1593177
Title:
The default policy should be admin
Status in Glance:
In Progress
Bug description:
From: https://review.openstack.org/#/c/309346/
"
I investigated the behaviour of the policy file when various policies are
removed.
A completely empty policy file will return a 403 Forbidden. As the
user will not match with any of the policies.
However, because glance has the policy ``default: ""``. It means that any
policy that is not explicitly stated in the the policy.json, is by default
usable by any member. I think that the ``default`` option is a potentially bad
thing to have in the policy.json file, due to the ability to give permissions
without explicitly stating it.
"
Therefore we should change ``"default": "",`` to ``"default":
"role:admin",``. To make sure that members don't inherit policies that they
shouldn't in the future. From a operators perspective it should be more secure
to have an opt-in rather than opt-out.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1593177/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
