View Issue Details

IDProjectCategoryView StatusLast Update
0001117bareos-coredirectorpublic2019-11-11 19:00
Reporterjoergs Assigned To 
Status confirmedResolutionopen 
Product Version19.2.1 
Summary0001117: When using multiple ACLs (Console ACL + Profile ACL) all negative ACLs except of the last one will be ignored
DescriptionA Console can contains ACLs and Profiles. The Profiles can also contain ACLs.

The way the Bareos Director evaluates multiple ACL is confusing (or just wrong).

All negative ACLs except of the last one will be ignored.

Steps To ReproduceCreate following resource:

Console {
  name = test
  password = secret
  Pool ACL=!Full
  Profile = operator

The operator profile should already exist. If not, create it like this:
Profile {
  name = operator
  Command ACL = *all*
  Pool ACL = *all*

Login as Console test. The ".pools" will show you all pool, including "Full".
Additional InformationThe function UaContext::AclAccessOk evaluates the Console ACLs first.
It stop evaluating ACLs, if it got a positive match (with is correct).
However, the function will continue checking the next ACL, if 1. no information about a resource have been found or 2. resource rejected. This is obviously wrong.
TagsNo tags attached.
bareos-master: impact
bareos-master: action
bareos-19.2: impact
bareos-19.2: action
bareos-18.2: impact
bareos-18.2: action
bareos-17.2: impact
bareos-17.2: action
bareos-16.2: impact
bareos-16.2: action
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-09-23 13:57 joergs New Issue
2019-11-11 19:00 joergs Status new => confirmed