OpenStack Shared File Systems Service (Manila)

public flag should be controllable via policy

Bug #1801763 reported by Maurice Escher on 2018-11-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	Medium	Goutham Pacha Ravi	OpenStack Shared File Systems Service (Manila) stein-3

Bug Description

Hi,

setting a share's visibility to public should be something not everybody can do.
In a multi-tenant cloud I want to disallow this entirely for a large set of my users.

One project should not pollute other projects with it's shares, regardless whether they may be not accessible from a network perspective.

I imagine to be able to control it like in Glance publicize_image, where I can set in the policy, who is allowed to change that setting.

Regards,
Maurice

See original description

Maurice Escher (maurice-escher) on 2018-11-05

description:

updated

Goutham Pacha Ravi (gouthamr) on 2018-12-20

Changed in manila:
status:	New → Confirmed
importance:	Undecided → Medium

Jason Grosso (jgrosso) on 2019-01-10

Changed in manila:
assignee:	nobody → Goutham Pacha Ravi (gouthamr)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-05: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/634864

Changed in manila:
status:	Confirmed → In Progress

Goutham Pacha Ravi (gouthamr) on 2019-02-06

Changed in manila:
milestone:	none → stein-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-02-19: Fix merged to manila (master)

Reviewed: https://review.openstack.org/634864
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=2289cdd9e7b05efecd8a4f22b7c57628e517f1a7
Submitter: Zuul
Branch: master

commit 2289cdd9e7b05efecd8a4f22b7c57628e517f1a7
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon Feb 4 14:56:13 2019 -0800

Add policy to create/update public shares

    Public shares are visible across all keystone
    projects and are "accessible" by all projects
    within a multi-tenant cloud. More often than not,
    only privileged users can create and manage shares
    that EVERYONE on the cloud can really mount and use.

    Manila deployers want a way to disable
    unprivileged users from create public shares. Feedback
    from deployers has been that public shares created on one
    private tenant network (DHSS=True scenario) cannot
    be used within another private tenant network belonging
    to a different project. So, if users unintentionally create
    public shares, they end up pollute the dashboards of users
    in other projects. So, we need to make public share
    creation a "privileged" feature. This can be achieved by
    introducing a manila API policy that defaults to
    only allowing the "admin" role. So, this commit will:
    - Introduce two new policies:
        - share:create_public_share and
        - share:set_public_share
    - Set the default check string for these policies
      to rule:admin_api. They will accept the default
      rule temporarily, and log a deprecation warning
      message.
    - Remove some redundant policy checks in code
      and move the policy check up in the API so we
      can fail unauthorized requests faster.

    When making an API change that potentially changes
    the return code from being "successful" (HTTP 2xx)
    to returning failure (in this case: HTTP 403,
    NotAuthorized), we typically maintain API backwards
    compatibility by failing the requests ONLY with newer
    API microversions. Following this pattern for API
    policy changes will introduce a security hole, i.e.,
    users can always create public shares with previous
    versions even when an administrator explicitly
    sets up policy to disable the action. This is why
    this change will not maintain API backwards
    compatibility.

    APIImpact
    Closes-Bug: #1801763
    Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028

Reviewed:  https://review.openstack.org/634864
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=2289cdd9e7b05efecd8a4f22b7c57628e517f1a7
Submitter: Zuul
Branch:    master

commit 2289cdd9e7b05efecd8a4f22b7c57628e517f1a7
Author: Goutham Pacha Ravi <gouthampravi@gmail.com>
Date:   Mon Feb 4 14:56:13 2019 -0800

Add policy to create/update public shares
    
    Public shares are visible across all keystone
    projects and are "accessible" by all projects
    within a multi-tenant cloud. More often than not,
    only privileged users can create and manage shares
    that EVERYONE on the cloud can really mount and use.
    
    Manila deployers want a way to disable
    unprivileged users from create public shares. Feedback
    from deployers has been that public shares created on one
    private tenant network (DHSS=True scenario) cannot
    be used within another private tenant network belonging
    to a different project. So, if users unintentionally create
    public shares, they end up pollute the dashboards of users
    in other projects. So, we need to make public share
    creation a "privileged" feature. This can be achieved by
    introducing a manila API policy that defaults to
    only allowing the "admin" role. So, this commit will:
    - Introduce two new policies:
        - share:create_public_share and
        - share:set_public_share
    - Set the default check string for these policies
      to rule:admin_api. They will accept the default
      rule temporarily, and log a deprecation warning
      message.
    - Remove some redundant policy checks in code
      and move the policy check up in the API so we
      can fail unauthorized requests faster.
    
    When making an API change that potentially changes
    the return code from being "successful" (HTTP 2xx)
    to returning failure (in this case: HTTP 403,
    NotAuthorized), we typically maintain API backwards
    compatibility by failing the requests ONLY with newer
    API microversions. Following this pattern for API
    policy changes will introduce a security hole, i.e.,
    users can always create public shares with previous
    versions even when an administrator explicitly
    sets up policy to disable the action. This is why
    this change will not maintain API backwards
    compatibility.
    
    APIImpact
    Closes-Bug: #1801763
    Change-Id: Ib4fc9a82b6a3e5f8e50f0bc8a89d0445eecab028

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-03-22: Fix included in openstack/manila 8.0.0.0rc1

This issue was fixed in the openstack/manila 8.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.