OpenStack Shared File Systems Service (Manila)

Project users can add others' security services to their network by ID

Bug #1918323 reported by Goutham Pacha Ravi on 2021-03-09

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	Medium	Ashley Rodriguez	OpenStack Shared File Systems Service (Manila) zed-1

Bug Description

Description
===========
The default RBAC allows project users to add a security service by its ID to share networks they own.

It is not possible for an unprivileged user to obtain security service IDs via manila APIs. So they'd have to guess it - however, guesswork on UUIDs is considered highly improbable. This is albeit a security tightening opportunity.

Steps to reproduce
==================

A chronological list of steps which will help reproduce the issue you hit:
* As user X of project Y create a security service, record its ID
* As user A of project B, create a share network (don't create any shares)
* Associate the security service to the share network by its ID

Expected result
===============
The user must be prevented to do this with HTTP 400

Actual result
=============
HTTP 200, the security service was successfully associated with the share network.

Environment
===========
1. Manila main branch, Wallaby cycle code

Tags:

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2021-03-11:

Job set to nonvoting here: https://review.opendev.org/c/openstack/manila/+/779823

Changed in manila:
importance:	Undecided → High

Revision history for this message

Goutham Pacha Ravi (gouthamr) wrote on 2021-03-12:

Please Ignore comment #1, it was for https://bugs.launchpad.net/manila/+bug/1918707

When this bug is being fixed, these new APIs need to be addressed as well: https://review.opendev.org/c/openstack/manila/+/774728/10/manila/api/v2/share_networks.py#416

Changed in manila:
importance:	High → Medium

Goutham Pacha Ravi (gouthamr) on 2021-05-05

tags:	added: rbac
tags:	added: api

Victoria Martinez de la Cruz (vkmc) on 2021-06-07

Changed in manila:
status:	New → Confirmed

Goutham Pacha Ravi (gouthamr) on 2021-08-03

Changed in manila:
milestone:	none → xena-3

Carlos Eduardo (silvacarlose) on 2021-09-20

Changed in manila:
milestone:	xena-3 → yoga-1

Ashley Rodriguez (ashrod98) on 2021-11-29

Changed in manila:
assignee:	nobody → Ashley Rodriguez (ashrod98)

Goutham Pacha Ravi (gouthamr) on 2021-11-29

Changed in manila:
milestone:	yoga-1 → yoga-2

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-01: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/820044

Changed in manila:
status:	Confirmed → In Progress

Carlos Eduardo (silvacarlose) on 2022-01-27

Changed in manila:
milestone:	yoga-2 → yoga-3

Goutham Pacha Ravi (gouthamr) on 2022-03-31

Changed in manila:
milestone:	yoga-3 → zed-1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-21: Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/820044
Committed: https://opendev.org/openstack/manila/commit/a97d65d3eb9b3a5b4a88a1b3f22b59ca2f75c9bc
Submitter: "Zuul (22348)"
Branch: master

commit a97d65d3eb9b3a5b4a88a1b3f22b59ca2f75c9bc
Author: Ashley Rodriguez <email address hidden>
Date: Wed Dec 1 14:31:00 2021 +0000

Add validation to share network

    Adds a check when associating a security service to a share network, so
    that both resources must have the same project_id. If not,
    a HTTP Bad Request is raised. Affiliated tests were altered or created.

Closes-Bug: #1918323
Change-Id: Idb2a8838d492ac3c616fb21ab1272f7dc74ee589

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-04-21: Fix proposed to manila (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/manila/+/838875

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-01: Fix merged to manila (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/manila/+/838875
Committed: https://opendev.org/openstack/manila/commit/95099bdfc46f4734c082b051a0029627aff9e473
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 95099bdfc46f4734c082b051a0029627aff9e473
Author: Ashley Rodriguez <email address hidden>
Date: Wed Dec 1 14:31:00 2021 +0000

Add validation to share network

    Closes-Bug: #1918323
    Change-Id: Idb2a8838d492ac3c616fb21ab1272f7dc74ee589
    (cherry picked from commit a97d65d3eb9b3a5b4a88a1b3f22b59ca2f75c9bc)

tags:

added: in-stable-yoga

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-05: Fix proposed to manila (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/manila/+/848712

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-07: Fix proposed to manila (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/manila/+/848865

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-08-04: Fix merged to manila (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/manila/+/848712
Committed: https://opendev.org/openstack/manila/commit/65fe79297d23e391d0746216520da957fc568000
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 65fe79297d23e391d0746216520da957fc568000
Author: Ashley Rodriguez <email address hidden>
Date: Wed Dec 1 14:31:00 2021 +0000

Add validation to share network

    Closes-Bug: #1918323
    Change-Id: Idb2a8838d492ac3c616fb21ab1272f7dc74ee589
    (cherry picked from commit a97d65d3eb9b3a5b4a88a1b3f22b59ca2f75c9bc)
    (cherry picked from commit 95099bdfc46f4734c082b051a0029627aff9e473)