protected property change not rejected if a subsequent rule match accepts them
Bug #1271426 reported by
Mark Washenberger
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
High
|
Thomas Leaman | ||
Havana |
Fix Released
|
High
|
Thomas Leaman | ||
OpenStack Security Notes |
Fix Released
|
High
|
Nathan Kinder |
Bug Description
See initial report here: http://
What is happening is that if there is a specific rule that would reject an action and a less specific rule that comes after that would accept the action, then the action is being accepted. It should be rejected.
This is because we iterate through the property protection rules rather than just finding the first match. This bug does not occur when policies are used to determine property protections, only when roles are used directly.
Changed in glance: | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in glance: | |
status: | Confirmed → Triaged |
milestone: | none → icehouse-3 |
Changed in glance: | |
assignee: | nobody → Thomas Leaman (thomas-leaman) |
Changed in glance: | |
status: | Triaged → In Progress |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | icehouse-3 → 2014.1 |
To post a comment you must log in.
This is a candidate for backporting to havana stable.