|
|
| Reporter | joergs | Assigned To | bruno-at-bareos | |
|---|
| Priority | normal | Severity | minor | Reproducibility | always |
|---|
| Status | closed | Resolution | won't fix | |
|---|
| Product Version | 19.2.1 | |
|---|
|
|
| Summary | 0001117: When using multiple ACLs (Console ACL + Profile ACL) all negative ACLs except of the last one will be ignored |
|---|
| Description | A Console can contains ACLs and Profiles. The Profiles can also contain ACLs.
The way the Bareos Director evaluates multiple ACL is confusing (or just wrong).
All negative ACLs except of the last one will be ignored.
|
|---|
| Steps To Reproduce | Create following resource:
Console {
name = test
password = secret
Pool ACL=!Full
Profile = operator
}
The operator profile should already exist. If not, create it like this:
Profile {
name = operator
Command ACL = *all*
Pool ACL = *all*
}
Login as Console test. The ".pools" will show you all pool, including "Full".
|
|---|
| Additional Information | The function UaContext::AclAccessOk evaluates the Console ACLs first.
It stop evaluating ACLs, if it got a positive match (with is correct).
However, the function will continue checking the next ACL, if 1. no information about a resource have been found or 2. resource rejected. This is obviously wrong.
|
|---|
| Tags | No tags attached. |
|---|
|
|
