This seems like something that might catch out unsuspecting sysadmins.
Do you think it is worth issuing an OSSN for this?
** Also affects: ossn
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1271426
Title:
protected property change not rejected if a subsequent rule match
accepts them
Status in OpenStack Image Registry and Delivery Service (Glance):
Fix Committed
Status in Glance havana series:
In Progress
Status in OpenStack Security Notes:
New
Bug description:
See initial report here: http://lists.openstack.org/pipermail
/openstack-dev/2014-January/024861.html
What is happening is that if there is a specific rule that would
reject an action and a less specific rule that comes after that would
accept the action, then the action is being accepted. It should be
rejected.
This is because we iterate through the property protection rules
rather than just finding the first match. This bug does not occur when
policies are used to determine property protections, only when roles
are used directly.
To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
