Project users can add others' security services to their network by ID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Medium
|
Ashley Rodriguez |
Bug Description
Description
===========
The default RBAC allows project users to add a security service by its ID to share networks they own.
It is not possible for an unprivileged user to obtain security service IDs via manila APIs. So they'd have to guess it - however, guesswork on UUIDs is considered highly improbable. This is albeit a security tightening opportunity.
Steps to reproduce
==================
A chronological list of steps which will help reproduce the issue you hit:
* As user X of project Y create a security service, record its ID
* As user A of project B, create a share network (don't create any shares)
* Associate the security service to the share network by its ID
Expected result
===============
The user must be prevented to do this with HTTP 400
Actual result
=============
HTTP 200, the security service was successfully associated with the share network.
Environment
===========
1. Manila main branch, Wallaby cycle code
tags: | added: rbac |
tags: | added: api |
Changed in manila: | |
status: | New → Confirmed |
Changed in manila: | |
milestone: | none → xena-3 |
Changed in manila: | |
milestone: | xena-3 → yoga-1 |
Changed in manila: | |
assignee: | nobody → Ashley Rodriguez (ashrod98) |
Changed in manila: | |
milestone: | yoga-1 → yoga-2 |
Changed in manila: | |
milestone: | yoga-2 → yoga-3 |
Changed in manila: | |
milestone: | yoga-3 → zed-1 |
Job set to nonvoting here: https:/ /review. opendev. org/c/openstack /manila/ +/779823