OpenStack Shared File Systems Service (Manila)

  1. Bug #2004230
  2. Comment #8

Comment 8 for bug 2004230

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/manila/+/896540
Committed: https://opendev.org/openstack/manila/commit/318140e2505a946f7523e47dc6cf5b4ac34a7813
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 318140e2505a946f7523e47dc6cf5b4ac34a7813
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700

    [rbac] Pull up policy checks on share/snapshot APIs

    RBAC enforcement in manila happens in stages:
    1) Does user have access to the API
    2) Does user have access to the resource
    3) Is user permitted to perform the API action on the resource

    If (1) fails, user gets a HTTP 403, if (2) fails,
    they get a HTTP 404; if (3) fails, they get a HTTP 403.

    More often than not, (2) prevents "existence" detection
    of resources that don't belong to the user; except in
    case of "public" resources (e.g.: shares can be "public").

    In some share API methods, policy checks for (1) are
    happening after a bunch of processing. This leads to
    some inconsistency.

    Fix these occurrences to ensure a consistent user
    experience.

    Change-Id: I5b1f1ce517efed000f17b1e0901e183a1913ba9f
    Related-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 190876809f2bda4153166e055c9de9bd1786f2a8)