incubator-bloodhound-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Apache Bloodhound" <>
Subject Re: [Apache Bloodhound] #438: Implement and enforce product permission policy
Date Sun, 17 Mar 2013 07:31:31 GMT
#438: Implement and enforce product permission policy
  Reporter:  olemis        |      Owner:  jure
      Type:  task          |     Status:  review
  Priority:  critical      |  Milestone:  Release 6
 Component:  multiproduct  |    Version:
Resolution:                |   Keywords:  permission security
Changes (by olemis):

 * status:  accepted => review
 * owner:  olemis => jure

Old description:


New description:


   - Leverage PRODUCT_ADMIN as a meta-permission in product context
   - Product owner automatically granted with PRODUCT_ADMIN in product
   - TRAC_ADMIN granted in product env will be ignored
     * Setting TRAC_ADMIN permission in product scope is in vain
       since it controls access to critical actions affecting the whole
       This will protect the system against malicious actors
       and / or failures leading to the addition of TRAC_ADMIN permission
       in product perm store in spite of obtaining unrighteous super
       On the other hand this also means that PRODUCT_ADMIN(s) are
       able to set user permissions at will without jeopardizing system
       integrity and stability.
   - TRAC_ADMIN in global env also valid in product env



 [attachment:t438_r1456016_product_perms.diff Attached patch] implements
 this ticket . As a consequence I'm proposing to revert part of the code
 added for #404 in r1449636 by applying patches in the following order :


 $ hg qapplied


 @jure @matevzb : Nevertheless I didn't find a way to check whether the
 same expectations you had when applying those changes (i.e. r1449636) will
 still be met . Considering the fact that the rationale is a bit fuzzy to
 me, then I kindly request for your comments .

Ticket URL: <>
Apache Bloodhound <>
The Apache Bloodhound (incubating) issue tracker

View raw message