yahoo-eng-team team mailing list archive

[Mark Washenberger <1271426@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

See initial report here: http://lists.openstack.org/pipermail/openstack-
dev/2014-January/024861.html

What is happening is that if there is a specific rule that would reject
an action and a less specific rule that comes after that would accept
the action, then the action is being accepted. It should be rejected.

This is because we iterate through the property protection rules rather
than just finding the first match. This bug does not occur when policies
are used to determine property protections, only when roles are used
directly.

** Affects: glance
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1271426

Title:
  protected property change not rejected if a subsequent rule match
  accepts them

Status in OpenStack Image Registry and Delivery Service (Glance):
  New

Bug description:
  See initial report here: http://lists.openstack.org/pipermail
  /openstack-dev/2014-January/024861.html

  What is happening is that if there is a specific rule that would
  reject an action and a less specific rule that comes after that would
  accept the action, then the action is being accepted. It should be
  rejected.

  This is because we iterate through the property protection rules
  rather than just finding the first match. This bug does not occur when
  policies are used to determine property protections, only when roles
  are used directly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions