Admin Gets 403 when GETing secret payload for certain ACLs
Bug #1468904 reported by
Dave McCowan
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Barbican |
Fix Released
|
Medium
|
Arun Kant |
Bug Description
A project admin should always have access to GET the secrets for his project.
Currently, if a secret or container has an ACL with project-access is set to False, an admin user will get 403 when trying to access that secret of container.
Changed in barbican: | |
assignee: | nobody → Dave McCowan (dave-mccowan) |
Changed in barbican: | |
status: | New → In Progress |
Changed in barbican: | |
status: | In Progress → Fix Committed |
Changed in barbican: | |
milestone: | none → liberty-2 |
status: | Fix Committed → Fix Released |
Changed in barbican: | |
milestone: | liberty-2 → 1.0.0 |
Changed in barbican: | |
importance: | Undecided → Medium |
To post a comment you must log in.
There is another access related issue associated with creator user access to private secret or container case (project-access is False) .
Right now, creator user can access private secret or container without need of having scoped token in same project as secret or container is created. With current behavior, creator user *always* have access even when admin user of that project has removed creator user roles for that project. This may not be correct desired behavior in cases when roles are removed to block access to creator user to a pool of shared private secret/containers