DB access to show volumes may not be properly controlled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
Fix Released
|
Medium
|
Kuo-tung Kao (jelly) |
Bug Description
This bug was opened to note the fact that a user can show details for a volume they don't own in the case that they had the UUID of the volume: https:/
When non-admin users know the volume uuid in the non-authorized tenant, they can get the volume information.
% OS_USERNAME=admin OS_TENANT_
+------
| ID | Status | Name | Size | Volume Type | Bootable | Multiattach | Attached to |
+------
| 775fafb7-
+------
% OS_USERNAME=demo OS_TENANT_
ERROR: User 3688045ce23b485
% OS_USERNAME=demo cinder show 775fafb7-
+------
| Property | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2015-07-
| description | None |
| encrypted | False |
| id | 775fafb7-
| metadata | {} |
| multiattach | False |
| name | a1 |
| os-vol-
| os-volume-
| os-volume-
| replication_status | disabled |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | available |
| user_id | 030ccc6b1eb5465
| volume_type | lvmdriver-2 |
+------
In this example, demo user can get info of the "a1" volume in the "admin" tenant
(tenant-id = 0076ae66c26e461
This problem can be circumvented by limiting the policy to 'rule:admin_
Changed in cinder: | |
assignee: | nobody → jelly (coding1314) |
status: | New → Confirmed |
Changed in cinder: | |
importance: | Undecided → Medium |
milestone: | none → liberty-3 |
Changed in cinder: | |
status: | Fix Committed → Fix Released |
no longer affects: | cinder (Ubuntu) |
tags: | added: kilo-backport-potential |
Changed in cinder: | |
milestone: | liberty-3 → 7.0.0 |
Fix proposed to branch: master /review. openstack. org/206450
Review: https:/