Potential race condition with ACL & group editing

[ctdk]

As I've been working on adding orgs+RBAC to goiardi, I noticed that the behavior oc-chef-pedant expects when you edit the ACL or groups is to provide a list of the actors and groups to be in the group, whereupon the existing actors and groups in the ACL or group is cleared out and the actors and groups in the request are added back in.

This leads to a situation where if two people are simultaneously editing a group or ACL, or if a user is being created at the same moment a group is being edited, one of the changes could be overwritten. This could lead to strange situations where a user that's been added to an org is not in the users group, or trying to remove access from a group or actor gets overwritten and they retain their access.

It may be better to explicitly add and remove users from ACLs and groups to prevent this. It might be a little more cumbersome for the tooling, but I think it would be safer all around.

[mmzyk]

@ctdk I believe we caught this exact issue earlier and it's been updated in either RC5 or RC6. Let me see if I can dig it up and you can verify if it's the same.

[ctdk]

Has oc-chef-pedant been updated to reflect that? That would be awesome.

-j

On Mon, Nov 17, 2014 at 1:24 PM, Mark Mzyk [email protected] wrote:

@ctdk https://github.com/ctdk I believe we caught this exact issue
earlier and it's been updated in either RC5 or RC6. Let me see if I can dig
it up and you can verify if it's the same.

—
Reply to this email directly or view it on GitHub
#26 (comment).