OpenStack Shared File Systems Service (Manila)

Project users can get other project replicas by UUID

Bug #1918341 reported by Goutham Pacha Ravi on 2021-03-09

This bug report is a duplicate of: Bug #1922243: share replica list is not checking project owner. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	In Progress	Medium	Jiabo Cheng	OpenStack Shared File Systems Service (Manila) yoga-2

Bug Description

Description
===========
This is a RBAC issue where as any authenticated user, I can retrieve a replica and its export locations even if it is in a project I'm not part of. I will however need to know the ID of the replica to do this. No manila API currently discloses this ID, and it would have to be guessed by users that have only the API to work with. Guessing UUIDs is considered impractical.

Steps to reproduce
==================

A chronological list of steps which will help reproduce the issue you hit:
* As user X in project Y, create a share and a replica and note replica ID
* As user A in project B, attempt to retrieve replica information and export location information:

GET share-replicas/${share_replica_id}/export-locations
GET share-replicas/${share_replica_id}/export-locations/${export_location_id}
GET share-replicas/${share_replica_id}

Expected result
===============
HTTP 404 if replica is inaccessible to me

Actual result
=============
HTTP 200 with replica details

Environment
===========
1. Manila main (Wallaby)

Tags:

Goutham Pacha Ravi (gouthamr) on 2021-03-15

Changed in manila:
importance:	Undecided → Medium
milestone:	none → wallaby-rc1
tags:	added: rbac
tags:	added: backport-potential rocky-backport-potential stein-backport-potential train-backport-potential ussuri-backport-potential victoria-backport-potential

Goutham Pacha Ravi (gouthamr) on 2021-03-16

tags:

added: wallaby-rc-bugsquash

Goutham Pacha Ravi (gouthamr) on 2021-03-26

Changed in manila:
milestone:	wallaby-rc1 → xena-1
assignee:	nobody → Goutham Pacha Ravi (gouthamr)

Goutham Pacha Ravi (gouthamr) on 2021-03-26

tags:	removed: wallaby-rc-bugsquash
tags:	added: wallaby-backport-potential

Goutham Pacha Ravi (gouthamr) on 2021-05-27

Changed in manila:
milestone:	xena-1 → xena-2

Victoria Martinez de la Cruz (vkmc) on 2021-06-07

Changed in manila:
status:	New → Confirmed

Goutham Pacha Ravi (gouthamr) on 2021-08-03

Changed in manila:
milestone:	xena-2 → xena-3

Carlos Eduardo (silvacarlose) on 2021-09-20

Changed in manila:
milestone:	xena-3 → yoga-1

Goutham Pacha Ravi (gouthamr) on 2021-11-29

Changed in manila:
milestone:	yoga-1 → yoga-2

Jiabo Cheng (cheng-jiab) on 2021-11-29

Changed in manila:
assignee:	Goutham Pacha Ravi (gouthamr) → Jiabo Cheng (cheng-jiab)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-06: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/820468

Changed in manila:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-12-09: Change abandoned on manila (master)

Change abandoned by "Jiabo Cheng <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/manila/+/820468
Reason: Duplicated bug with Bug #1922243

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1922243 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.