Non-admin users can get volumes in non-authorized tenants
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
High
|
Yuriy Nesenenko |
Bug Description
When non-admin users know the volume uuid in the non-authorized tenant, they can get the volume information.
% OS_USERNAME=admin OS_TENANT_
+------
| ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+------
| 775fafb7-
+------
% OS_USERNAME=demo OS_TENANT_
ERROR: User 3688045ce23b485
% OS_USERNAME=demo cinder show 775fafb7-
+------
| Property | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-07-
| description | None |
| encrypted | False |
| id | 775fafb7-
| metadata | {} |
| multiattach | False |
| name | a1 |
| os-vol-
| os-volume-
| os-volume-
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 030ccc6b1eb5465
| volume_type | lvmdriver-2 |
+------
In this example, demo user can get info of the "a1" volume in the "admin" tenant
(tenant-id = 0076ae66c26e461
Upstream bug: https:/
Changed in mos: | |
status: | New → In Progress |
assignee: | nobody → Yuriy Nesenenko (ynesenenko) |
importance: | Undecided → High |
milestone: | none → 7.0 |
tags: | added: cinder |
Changed in mos: | |
status: | In Progress → Fix Committed |
tags: | added: on-verification |
tags: | removed: on-verification |
Fix proposed to branch: master /review. fuel-infra. org/9817
Change author: Yuriy Nesenenko <email address hidden>
Review: https:/