[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
The new revision of OSSN-0013 has been published to the mailing lists and the wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0013 ** Changed in: ossn Status: In Progress = Fix Released ** Changed in: ossn Assignee: Robert Clark (robert-clark) = Nathan Kinder (nkinder) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance havana series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
Reopening this OSSN bug. The workaround in the OSSN has been reported to not work. Details from the reporter to come shortly. ** Changed in: ossn Status: Fix Released = In Progress -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance havana series: Fix Released Status in OpenStack Security Notes: In Progress Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
This has been published as OSSN-0013 to the mailing lists (openstack and openstack-dev), and the OpenStack wiki: https://wiki.openstack.org/wiki/OSSN/OSSN-0013 ** Changed in: ossn Status: Confirmed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance havana series: Fix Released Status in OpenStack Security Notes: Fix Released Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
** Changed in: glance Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Released Status in Glance havana series: Fix Released Status in OpenStack Security Notes: Confirmed Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
** Changed in: glance/havana Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Glance havana series: Fix Released Status in OpenStack Security Notes: New Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
This seems like something that might catch out unsuspecting sysadmins. Do you think it is worth issuing an OSSN for this? ** Also affects: ossn Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Glance havana series: In Progress Status in OpenStack Security Notes: New Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1271426] Re: protected property change not rejected if a subsequent rule match accepts them
** Also affects: glance/havana Importance: Undecided Status: New ** Changed in: glance/havana Importance: Undecided = High ** Changed in: glance/havana Status: New = In Progress ** Changed in: glance/havana Assignee: (unassigned) = Thomas Leaman (thomas-leaman) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Glance. https://bugs.launchpad.net/bugs/1271426 Title: protected property change not rejected if a subsequent rule match accepts them Status in OpenStack Image Registry and Delivery Service (Glance): Fix Committed Status in Glance havana series: In Progress Bug description: See initial report here: http://lists.openstack.org/pipermail /openstack-dev/2014-January/024861.html What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected. This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly. To manage notifications about this bug go to: https://bugs.launchpad.net/glance/+bug/1271426/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp