-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Some versions of Glance do not apply property protections as expected - ---
### Summary ### Tom Leaman reported an issue to the OpenStack mailing list that affects Glance property protections. A permissive property setting in the Glance property protections configuration file will override any previously set stricter ones. ### Affected Services / Software ### Glance, Folsom, Grizzly ### Discussion ### Glance property protections limit the users who can perform CRUD operations on a Glance property to those in specific roles. If there is a specific rule that would reject an action and a less specific rule that comes after that accepts the action, then the action is accepted even though one may expect it to be rejected. This bug only affects the use of user-roles in Glance. It does not occur when policies are used to determine property protections. In the following policy-protections.conf example, the desired result is to restrict 'update' and 'delete' permissions for 'foo_property' to only users with the 'admin' role. - --- Begin Example --- /etc/glance/property-protections.conf [^foo_property$] create = @ read = @ update = admin delete = admin [.*] create = @ read = @ update = @ delete = @ - --- End Example --- Due to the order that the rules are applied in the Folsom and Grizzly OpenStack releases, the admin restriction for 'foo_property' is nullified by the '.*' permissions. This results in all roles being allowed the 'update' and 'delete' permissions on 'foo_property', which is not what was intended. ### Recommended Actions ### This issue has been fixed in Havana (Glance 2013.2.2) and subsequent releases. Users of affected releases should review and reorder the entries in property-protections.conf to place the most open permissions at the start of the configuration and more restrictive ones at the end, as demonstrated below. - --- Begin Example --- /etc/Glance/property-protections.conf [.*] create = @ read = @ update = @ delete = @ [^foo_property$] create = @ read = @ update = admin delete = admin - --- End Example --- In the above example, '.*' and 'foo_property' entries in the protections file have been reversed, ensuring that the more restrictive permissions required for 'foo_property' are applied after the wider '.*' permissions and assuring that 'update' and 'delete' operations are restricted to only users with in the 'admin' role. Configuration files with multiple property protection entries set should be tested to ensure that CRUD actions are constrained in the way the administrator intended. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0013 Original Launchpad Bug : https://bugs.launchpad.net/glance/+bug/1271426 Original Report : http://lists.openstack.org/pipermail/openstack-dev/2014-January/024861.html Glance Property Protections : https://wiki.openstack.org/wiki/Glance-property-protections OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTarcTAAoJEJa+6E7Ri+EVlNcH/13A81goEvJjj5+2jcim2/68 0Bi5YFFqY64cDKw2tKzbt9hZqkYgDSxqziqqQaBU6zdaodSm5pwMVtC+Kk1xacCF 0gi/JuGtxtVNftS8mk8nx1iIYyoPYGYZ/sizo9MiVRrX0Gdpa8F9hSzRZt3DSZhG bpsU+1rKQfMd+eDti2E2APnPPLXrotOiMgP8LyTiCNaMFVKobbbxXq0W4iBZyUWb D98xczkKmkPjWFb0xC5Xxiqcjw0BVupCBcDtmLc4ddmLr7/bczvdsG7ly/qLukUv Xd2xlsqcZX2DwFwaB9fshtAHLb36GHfpB7bdT0orm6Fv81SbTxQD/9uKVTYACBY= =uT+q -----END PGP SIGNATURE----- _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
