Bug #1955627 “[S-RBAC] project admin can update the state of a s...” : Bugs : OpenStack Shared File Systems Service (Manila)

Liron Kuchlani (lkuchlan) on 2021-12-23

description:

updated

Vida Haririan (vhariria) on 2022-01-05

tags:

added: rbac

Vida Haririan (vhariria) on 2022-01-06

Changed in manila:
importance:	Undecided → Low
milestone:	none → yoga-3

Revision history for this message

Vida Haririan (vhariria) wrote on 2022-01-06:

#1

Additional information is at https://meetings.opendev.org/meetings/manila/2022/manila.2022-01-06-15.00.log.html

Carlos Eduardo (silvacarlose) on 2022-03-03

tags:

added: low-hanging-fruit

Carlos Eduardo (silvacarlose) on 2022-03-03

Changed in manila:
assignee:	nobody → Shkoh Hamasoor (shkohy)

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2022-03-03:

#2

The problem here seems to be the "reset_status" logic doesn't check if the requester has permission to retrieve/manipulate the resource.

https://opendev.org/openstack/manila/src/commit/3ce3854ae9193d94537857737b961576386978b6/manila/api/openstack/wsgi.py#L1239-L1254

Before we perform the _update in that method, we could performa policy check with the resource as the target..

resource = self._get(context, id)
policy.check_policy(context, "%s:%s" % (resource_name, reset_status), resource)

Carlos Eduardo (silvacarlose) on 2022-03-10

Changed in manila:
milestone:	yoga-3 → zed-1

Carlos Eduardo (silvacarlose) on 2022-06-20

Changed in manila:
milestone:	zed-1 → zed-2

Goutham Pacha Ravi (gouthamr) on 2022-06-21

Changed in manila:
assignee:	Shkoh Hamasoor (shkohy) → nobody

Vida Haririan (vhariria) on 2022-06-23

Changed in manila:
assignee:	nobody → moin Ahmed (moin)

Mohammed Moin Mulla (mohammedmoin) on 2022-06-23

Changed in manila:
assignee:	moin Ahmed (moin) → Mohammed Moin Mulla (mohammedmoin)

Revision history for this message

Vida Haririan (vhariria) wrote on 2022-06-23:

#3

See additional discussions at https://meetings.opendev.org/meetings/manila/2022/manila.2022-06-23-15.00.log.html

Carlos Eduardo (silvacarlose) on 2022-07-28

Changed in manila:
milestone:	zed-2 → zed-3

Carlos Eduardo (silvacarlose) on 2022-09-13

Changed in manila:
assignee:	Mohammed Moin Mulla (mohammedmoin) → Goutham Pacha Ravi (gouthamr)

Goutham Pacha Ravi (gouthamr) on 2022-09-13

Changed in manila:
milestone:	zed-3 → zed-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-15: Fix proposed to manila (master)

#4

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/857980

Changed in manila:
status:	New → In Progress

Carlos Eduardo (silvacarlose) on 2022-10-06

Changed in manila:
milestone:	zed-rc1 → antelope-1

Carlos Eduardo (silvacarlose) on 2022-11-29

Changed in manila:
milestone:	antelope-1 → antelope-2

Carlos Eduardo (silvacarlose) on 2023-01-25

Changed in manila:
milestone:	antelope-2 → antelope-3

Carlos Eduardo (silvacarlose) on 2023-02-24

Changed in manila:
milestone:	antelope-3 → antelope-rc1

Goutham Pacha Ravi (gouthamr) on 2023-04-13

Changed in manila:
milestone:	antelope-rc1 → bobcat-1

Carlos Eduardo (silvacarlose) on 2023-06-21

Changed in manila:
milestone:	bobcat-1 → bobcat-2

Carlos Eduardo (silvacarlose) on 2023-08-17

Changed in manila:
milestone:	bobcat-2 → bobcat-3

Goutham Pacha Ravi (gouthamr) on 2023-09-19

Changed in manila:
milestone:	bobcat-3 → bobcat-rc1

Goutham Pacha Ravi (gouthamr) on 2023-09-21

Changed in manila:
milestone:	bobcat-rc1 → caracal-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-28: Fix proposed to manila (stable/2023.2)

#5

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/manila/+/896846

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-28: Fix merged to manila (master)

#6

Reviewed: https://review.opendev.org/c/openstack/manila/+/857980
Committed: https://opendev.org/openstack/manila/commit/55edb00cc12ade9df333e9c0a3472e68d797b8f6
Submitter: "Zuul (22348)"
Branch: master

commit 55edb00cc12ade9df333e9c0a3472e68d797b8f6
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Sep 15 13:56:44 2022 -0700

[RBAC] Enforce check for share updates

    When a user has access to the APIs to reset status,
    task state or replica state but doesn't have access to
    the share, they must be prevented from performing
    those actions. This enforcement allows granular control
    of these actions and the resources themselves.

    Change-Id: Ic3be777b238a467d1b7bd1daa6aa088dedb095b0
    Closes-Bug: #1955627
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-05: Fix merged to manila (stable/2023.2)

#7

Reviewed: https://review.opendev.org/c/openstack/manila/+/896846
Committed: https://opendev.org/openstack/manila/commit/f1aa5f0744f21cdae9394da00f36cc57ce5e09f0
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit f1aa5f0744f21cdae9394da00f36cc57ce5e09f0
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Sep 15 13:56:44 2022 -0700

[RBAC] Enforce check for share updates

    When a user has access to the APIs to reset status,
    task state or replica state but doesn't have access to
    the share, they must be prevented from performing
    those actions. This enforcement allows granular control
    of these actions and the resources themselves.

    Change-Id: Ic3be777b238a467d1b7bd1daa6aa088dedb095b0
    Closes-Bug: #1955627
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 55edb00cc12ade9df333e9c0a3472e68d797b8f6)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-05: Fix proposed to manila (stable/2023.1)

#8

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/manila/+/897450

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-11: Fix proposed to manila (stable/zed)

#9

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/manila/+/897962

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-11: Fix merged to manila (stable/2023.1)

#10

Reviewed: https://review.opendev.org/c/openstack/manila/+/897450
Committed: https://opendev.org/openstack/manila/commit/6781f22bf1d78b89f500f538244d0991152f8e6d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 6781f22bf1d78b89f500f538244d0991152f8e6d
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Sep 15 13:56:44 2022 -0700

[RBAC] Enforce check for share updates

    When a user has access to the APIs to reset status,
    task state or replica state but doesn't have access to
    the share, they must be prevented from performing
    those actions. This enforcement allows granular control
    of these actions and the resources themselves.

    Change-Id: Ic3be777b238a467d1b7bd1daa6aa088dedb095b0
    Closes-Bug: #1955627
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 55edb00cc12ade9df333e9c0a3472e68d797b8f6)
    (cherry picked from commit f1aa5f0744f21cdae9394da00f36cc57ce5e09f0)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-12: Fix included in openstack/manila 16.1.0

#11

This issue was fixed in the openstack/manila 16.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-16: Fix merged to manila (stable/zed)

#12

Reviewed: https://review.opendev.org/c/openstack/manila/+/897962
Committed: https://opendev.org/openstack/manila/commit/27a89a6a1cfa0f75d270e46c933aa24cd9708c27
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 27a89a6a1cfa0f75d270e46c933aa24cd9708c27
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu Sep 15 13:56:44 2022 -0700

[RBAC] Enforce check for share updates

    When a user has access to the APIs to reset status,
    task state or replica state but doesn't have access to
    the share, they must be prevented from performing
    those actions. This enforcement allows granular control
    of these actions and the resources themselves.

    Change-Id: Ic3be777b238a467d1b7bd1daa6aa088dedb095b0
    Closes-Bug: #1955627
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 55edb00cc12ade9df333e9c0a3472e68d797b8f6)
    (cherry picked from commit f1aa5f0744f21cdae9394da00f36cc57ce5e09f0)
    (cherry picked from commit 6781f22bf1d78b89f500f538244d0991152f8e6d)

tags:

added: in-stable-zed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-16: Fix proposed to manila (stable/yoga)

#13

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/898488

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-19: Fix included in openstack/manila 17.1.0

#14

This issue was fixed in the openstack/manila 17.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-11-09: Fix included in openstack/manila 15.3.0

#15

This issue was fixed in the openstack/manila 15.3.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-20: Change abandoned on manila (stable/yoga)

#16

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/898488
Reason: stable/yoga branch of openstack/manila is about to be deleted. To be able to do that, all open patches need to be abandoned. Please cherry pick the patch to unmaintained/yoga if you want to further work on this patch.