Comment 23 for bug 1290537
Revision history for this message
| John Garbutt (johngarbutt) wrote Re: RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167) | #23 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Yeah, I am -1 for what chris said.
Seems like we should use the same policy as the core openstack API, otherwise people will have to configure new policy for an api they may not release that had turned on, or something like that.
I agree that we should have a more granular policy on both in the long term, but thats not really the fix for this bug, as I see it.