Jira (PUP-4630) auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase
Title: Message Title Nicholas Fagerlund moved an issue Puppet / PUP-4630 auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase Change By: Nicholas Fagerlund Workflow: Documentation Scrum Team Workflow Key: DOC PUP - 2007 4630 Project: Documentation [Internal] Puppet Add Comment This message was sent by Atlassian JIRA (v6.3.15#6346-sha1:dbc023d) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4630) auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase
Title: Message Title Nicholas Fagerlund commented on PUP-4630 Re: auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase Okay, after some testing I have a rough hypothesis. If an ACL includes the exact directive allow *, all deny rules get ignored. Otherwise, there's some kind of nasty interaction between two principles: "deny goes first," and "sort by level of specificity." I can't figure out exactly what the levels of specificity are... but it looks like there's only two? That is, .lan and .fakepie.lan and /\w+\.fakepie\.lan all seem to be the same level, and it'll process denies first. But if you specify a name with no globbing or regex (bishop.fakepie.lan), an allow can override a deny at the lower level. ...So I guess you could unify this and say that there are three levels of specificity, and * is the most specific. I hate this file so much. Add Comment This message was sent by Atlassian JIRA (v6.3.15#6346-sha1:dbc023d) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4630) auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase
Title: Message Title Brice Figureau commented on PUP-4630 Re: auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase The allow and deny rules are sorted based on their length, if I remember correctly. So longer rules are tested before shorter rules (independently of allow/deny), with the exception of global allow or global deny which short-circuit everything. This is to be able to write something as: ``` allow *.domain.org deny test.domain.org ``` In a top-to-bottom ordering, test.domain.org would always be allowed, but with length rule ordering, it wouldn't. Other systems have a sorting (Apache for instance) where all allow are treated before all deny (or the reverse with the use of a specific directive), but this doesn't allow all cases to be implemented correctly (except allow all this, deny all the others). Add Comment This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4630) auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase
Title: Message Title Nicholas Fagerlund updated an issue Puppet / PUP-4630 auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase Change By: Nicholas Fagerlund Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-4630) auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-4630 auth.conf's `deny` directive is messed up, and allows forbidden requests according to moon phase Change By: Moses Mendoza Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
