yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1593177] Re: The default policy should be admin

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1593177@xxxxxxxxxxxxxxxxxx>
Date: Tue, 05 Jul 2016 22:36:23 -0000
Reply-to: Bug 1593177 <1593177@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/330443
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=969309ffae15a56474e5a66100979a6bd76c356f
Submitter: Jenkins
Branch:    master

commit 969309ffae15a56474e5a66100979a6bd76c356f
Author: Niall Bunting <niall.bunting@xxxxxxx>
Date:   Thu Jun 16 10:30:52 2016 +0000

    Change default policy to admin
    
    From: https://review.openstack.org/#/c/309346/
    
    "
    I investigated the behaviour of the policy file when various policies
    are removed.
    
    A completely empty policy file will return a 403 Forbidden. As the user
    will not match with any of the policies.
    
    However, because glance has the policy ``default: ""``. It means that
    any policy that is not explicitly stated in the the policy.json, is
    by default usable by any member. I think that the ``default`` option
    is a potentially bad thing to have in the policy.json file, due to the
    ability to give permissions without explicitly stating it.
    "
    
    Therefore we should change ``"default": "",`` to ``"default":
    "role:admin",``. To make sure that members don't inherit policies that
    they shouldn't in the future. From a operators perspective it should be
    more secure to have an opt-in rather than opt-out.
    
    Change-Id: I57f9d4791126360079a941c1ff4cb2bbb86298d5
    Closes-Bug: 1593177


** Changed in: glance
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1593177

Title:
  The default policy should be admin

Status in Glance:
  Fix Released

Bug description:
  From: https://review.openstack.org/#/c/309346/

  "
  I investigated the behaviour of the policy file when various policies are removed.

  A completely empty policy file will return a 403 Forbidden. As the
  user will not match with any of the policies.

  However, because glance has the policy ``default: ""``. It means that any policy that is not explicitly stated in the the policy.json, is by default usable by any member. I think that the ``default`` option is a potentially bad thing to have in the policy.json file, due to the ability to give permissions without explicitly stating it.
  "
  Therefore we should change ``"default": "",`` to ``"default": "role:admin",``. To make sure that members don't inherit policies that they shouldn't in the future. From a operators perspective it should be more secure to have an opt-in rather than opt-out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1593177/+subscriptions

References

[Bug 1593177] [NEW] The default policy should be admin
From: Niall Bunting, 2016-06-16