Non-admin users can get volumes in non-authorized tenants
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
High
|
Liyingjun |
Bug Description
When non-admin users know the volume uuid in the non-authorized tenant, they can get the volume information.
% OS_USERNAME=admin OS_TENANT_
+------
| ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+------
| 775fafb7-
+------
% OS_USERNAME=demo OS_TENANT_
ERROR: User 3688045ce23b485
% OS_USERNAME=demo cinder show 775fafb7-
+------
| Property | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-07-
| description | None |
| encrypted | False |
| id | 775fafb7-
| metadata | {} |
| multiattach | False |
| name | a1 |
| os-vol-
| os-volume-
| os-volume-
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 030ccc6b1eb5465
| volume_type | lvmdriver-2 |
+------
In this example, demo user can get info of the "a1" volume in the "admin" tenant
(tenant-id = 0076ae66c26e461
Changed in cinder: | |
importance: | Undecided → High |
Changed in cinder: | |
milestone: | none → liberty-3 |
status: | Fix Committed → Fix Released |
Changed in cinder: | |
milestone: | liberty-3 → 7.0.0 |
This is caused no policy check for 'volume:get'[1].
[1]: http:// git.openstack. org/cgit/ openstack/ cinder/ tree/etc/ cinder/ policy. json#n10