OpenStack Shared File Systems Service (Manila)

Unable to allow non-admins with policy: security_services:get_all_security_services

Bug #1916102 reported by Goutham Pacha Ravi on 2021-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	Medium	Cameron Kolodjski	OpenStack Shared File Systems Service (Manila) zed-2

Bug Description

Description
===========

Manila's security services API allows a user to retrieve all security services
in manila [1]. This sits behind a RBAC policy: "security_services:get_all_security_services" [2].
This RBAC policy currently defaults to "admin" [3] and the default will transition to system scoped admin users [3] in the future.

However, even when one changes the policy to a non admin user today, they will be unable to use this API query, because the code enforces that the caller has an administrator context [4]. This is undesirable to the way we want flexibility in our code wrt allowing deployers to tune RBAC policies to customize API access.

Steps to reproduce
==================

A chronological list of steps which will help reproduce the issue you hit:
* Created a policy.yaml file and set "security_service:get_all_security_services" to "rule:default" (meaning that all users can see all security services)
* as a regular non-admin user of a project, invoked "GET /security-services?all_tenants=True" API

Expected result
===============
Security services of all projects should be retrieved

Actual result
=============
Only security services of my own project were retrieved.

Tags:

Revision history for this message

Vida Haririan (vhariria) wrote on 2021-03-03:

Additional comments http://eavesdrop.openstack.org/meetings/manila/2021/manila.2021-02-25-15.01.log.html

Changed in manila:
importance:	Undecided → Low

Goutham Pacha Ravi (gouthamr) on 2021-03-15

tags:	added: rbac
tags:	added: backport-potential rocky-backport-potential stein-backport-potential train-backport-potential ussuri-backport-potential victoria-backport-potential

Goutham Pacha Ravi (gouthamr) on 2021-03-16

tags:

added: wallaby-rc-bugsquash

Goutham Pacha Ravi (gouthamr) on 2021-03-26

Changed in manila:
milestone:	none → xena-1

Goutham Pacha Ravi (gouthamr) on 2021-03-26

tags:

removed: wallaby-rc-bugsquash

Victoria Martinez de la Cruz (vkmc) on 2021-06-07

Changed in manila:
status:	New → Confirmed
importance:	Low → Medium

Goutham Pacha Ravi (gouthamr) on 2021-07-08

Changed in manila:
milestone:	xena-1 → xena-2

Goutham Pacha Ravi (gouthamr) on 2021-08-03

Changed in manila:
milestone:	xena-2 → xena-3

Carlos Eduardo (silvacarlose) on 2021-09-20

Changed in manila:
milestone:	xena-3 → yoga-1

Goutham Pacha Ravi (gouthamr) on 2021-11-29

Changed in manila:
milestone:	yoga-1 → yoga-2

Revision history for this message

Vida Haririan (vhariria) wrote on 2021-12-16:

Please refer to full meeting dialog at https://meetings.opendev.org/meetings/manila/2021/manila.2021-12-16-15.01.log.html

Changed in manila:
assignee:	nobody → Goutham Pacha Ravi (gouthamr)

Carlos Eduardo (silvacarlose) on 2022-01-27

Changed in manila:
milestone:	yoga-2 → yoga-3

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2022-03-03:

The errant code is here: https://opendev.org/openstack/manila/src/commit/3ce3854ae9193d94537857737b961576386978b6/manila/api/v1/security_service.py#L111

We just need to pop off the "context.is_admin" check in that condition..

Changed in manila:
milestone:	yoga-3 → yoga-rc1

Carlos Eduardo (silvacarlose) on 2022-03-03

tags:

added: low-hanging-fruit

Goutham Pacha Ravi (gouthamr) on 2022-03-07

Changed in manila:
assignee:	Goutham Pacha Ravi (gouthamr) → nobody

Cameron Kolodjski (ckolod) on 2022-03-08

Changed in manila:
assignee:	nobody → Cameron Kolodjski (ckolod)

Cameron Kolodjski (ckolod) on 2022-03-08

Changed in manila:
status:	Confirmed → In Progress

Carlos Eduardo (silvacarlose) on 2022-03-10

Changed in manila:
milestone:	yoga-rc1 → zed-1

Revision history for this message

Carlos Eduardo (silvacarlose) wrote on 2022-05-05:

Change proposed: https://review.opendev.org/c/openstack/manila/+/832734

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-05-05: Related fix proposed to manila-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/840727

Carlos Eduardo (silvacarlose) on 2022-06-20

Changed in manila:
milestone:	zed-1 → zed-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-15: Related fix merged to manila-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/840727
Committed: https://opendev.org/openstack/manila-tempest-plugin/commit/71caf46c021ed64ddf3a85a3b41c478ec2845795
Submitter: "Zuul (22348)"
Branch: master

commit 71caf46c021ed64ddf3a85a3b41c478ec2845795
Author: silvacarloss <email address hidden>
Date: Thu May 5 16:33:12 2022 -0300

Modify security service list test

    Since we decoupled ``share:get_all_security_services`` from
    ``context_is_admin``, we started preventing non-admins to use
    the ``all_tenants`` flag for security service listing.

    This change enhances one of our tests to ensure that in a
    query to list security services using ``all_tenants``,
    less-privileged users won't be able to see more security
    services than they should.

Related-Bug: #1916102
Change-Id: Idd49e22c8dc534a1fe1e4814f233b079cf14bb72

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-15: Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/832734
Committed: https://opendev.org/openstack/manila/commit/3fb9b981b08a049466586feaf9ef011a5883d38f
Submitter: "Zuul (22348)"
Branch: master

commit 3fb9b981b08a049466586feaf9ef011a5883d38f
Author: Cameron Kolodjski <email address hidden>
Date: Wed Mar 9 00:35:41 2022 +0000

Remove admin context check, update unit tests

    In manila/api/v1/security_service.py, the context.is_admin check is
    removed, allowing the subsequent policy check to determine whether the
    user can retrieve all security services. Authorization is determined by
    the RBAC policy "security_services:get_all_security_services".

    In manila/tests/api/v1/test_security_service.py, unit tests for listing
    security services based on admin context were replaced with unit tests
    for listing security services based on whether the user is authorized or
    not.

    The unit test test_security_services_list_all_tenants_policy_authorized
    asserts that the security services are retrieved when
    policy.check_policy returns True.

    The unit test
    test_security_services_list_all_tenants_policy_not_authorized asserts
    that security services are not retrieved when policy.check_policy
    raises a NotAuthorized exception.

Closes-Bug: #1916102

Change-Id: I6cce61237f5ee3ce60d8165f6fac5e7e5a63b4dd
Depends-On: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/840727