I found the cause. When using role-based protections, instead of stopping after the first rule that matches, it keeps going. So in your example, the .* property rule is being applied after the ^foo_property$ rule says "no". I've determined that we can completely avoid the bug in current deployments by using "policies" rather than "roles" for the configuration setting "property_protection_rule_format".
It should be a very easy fix--the challenge seems to be writing a good test for it. I went ahead and filed the bug ( https://bugs.launchpad.net/glance/+bug/1271426) and will have a go at a fix. Thanks again for bringing this issue to our attention, Tom! On Tue, Jan 21, 2014 at 3:37 PM, Mark Washenberger < mark.washenber...@markwash.net> wrote: > > > > On Mon, Jan 20, 2014 at 6:02 AM, Tom Leaman <t...@tomleaman.co.uk> wrote: > >> I'm looking at a possible bug here but I just want to confirm >> that I'm not missing something obvious. >> >> I'm currently working with Devstack on Ubuntu 12.04 LTS >> >> Once Devstack is up and running, I'm creating a file >> /etc/glance/property-protections.conf as follows: >> >> [^foo_property$] >> create = @ >> read = @ >> update = admin >> delete = admin >> >> [.*] >> create = @ >> read = @ >> update = @ >> delete = @ >> >> I'm then referencing this in my glance-api.conf and restarting the glance >> api service. >> >> My understanding is that, as the demo user (which does not have the admin >> role), I should >> be able to set foo_property='some_value' but once set, I should not be >> able to modify or delete it >> which I currently am able to do. >> >> I have tried changing the various operations to '!' and confirmed that >> those will prevent me from >> executing those operations (returning 403 as expected). I've also double >> checked that the demo user >> has not somehow acquired the admin role. >> >> Tom >> >> > I'm seeing the same behavior. I'll keep digging, but meanwhile would you > be so kind as to file a bug (if you haven't already!) Thanks so much for > pointing this out. > > >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
