Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime: Drop "Barring access control concerns" #730

Merged
merged 1 commit into from
May 10, 2017
Merged

runtime: Drop "Barring access control concerns" #730

merged 1 commit into from
May 10, 2017

Conversation

wking
Copy link
Contributor

@wking wking commented Mar 16, 2017

This wording landed without comment as part of #225. However, I'm not entirely clear on the exception it's making. It may be trying to say something like:

Just because you were authorized to manage that container when you created it doesn't mean you're still authorized to perform operation X on it now. Maybe you've lost privileges in the meantime.

But as far as compliance testing is concerned, the same test harness will be calling create and the subsequent operations. That harness will be reporting MUST violations if the runtime refuses a subsequent operation, and removing the access-control loophole makes it more obvious that the runtime's refusal is non-compliant.

@wking
runtime: Drop "Barring access control concerns"
92a17a9 
This wording landed without comment as part of 7117ede (Expand on the
definition of our ops, 2015-10-13, opencontainers#225).  However, I'm not entirely
clear on the exception it's making.  It may be trying to say something
like:

  Just because you were authorized to manage that container when you
  created it doesn't mean you're still authorized to perform operation
  X on it now.  Maybe you've lost privileges in the meantime.

But as far as compliance testing is concerned, the same test harness
will be calling 'create' and the subsequent operations.  That harness
will be reporting MUST violations if the runtime refuses a subsequent
operation, and removing the access-control loophole makes it more
obvious that the runtime's refusal is non-compliant.

Signed-off-by: W. Trevor King <wking@tremily.us>
@crosbymichael
Copy link
Member

crosbymichael commented May 9, 2017
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

1 similar comment
@hqhq
Copy link
Contributor

hqhq commented May 10, 2017
edited by caniszczyk
Loading

LGTM

Approved with PullApprove

@hqhq hqhq merged commit db100f4 into opencontainers:master May 10, 2017
@wking wking deleted the drop-access-control-concerns branch May 10, 2017 23:51
@vbatts vbatts mentioned this pull request May 19, 2017
Closed
@vbatts vbatts mentioned this pull request Jul 5, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wking @crosbymichael @hqhq