commit 318140e2505a946f7523e47dc6cf5b4ac34a7813
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700
[rbac] Pull up policy checks on share/snapshot APIs
RBAC enforcement in manila happens in stages:
1) Does user have access to the API
2) Does user have access to the resource
3) Is user permitted to perform the API action on the resource
If (1) fails, user gets a HTTP 403, if (2) fails,
they get a HTTP 404; if (3) fails, they get a HTTP 403.
More often than not, (2) prevents "existence" detection
of resources that don't belong to the user; except in
case of "public" resources (e.g.: shares can be "public").
In some share API methods, policy checks for (1) are
happening after a bunch of processing. This leads to
some inconsistency.
Fix these occurrences to ensure a consistent user
experience.
Change-Id: I5b1f1ce517efed000f17b1e0901e183a1913ba9f
Related-Bug: #2004230
Signed-off-by: Goutham Pacha Ravi <email address hidden>
(cherry picked from commit 190876809f2bda4153166e055c9de9bd1786f2a8)
Reviewed: https:/ /review. opendev. org/c/openstack /manila/ +/896540 /opendev. org/openstack/ manila/ commit/ 318140e2505a946 f7523e47dc6cf5b 4ac34a7813
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/2023.2
commit 318140e2505a946 f7523e47dc6cf5b 4ac34a7813
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700
[rbac] Pull up policy checks on share/snapshot APIs
RBAC enforcement in manila happens in stages:
1) Does user have access to the API
2) Does user have access to the resource
3) Is user permitted to perform the API action on the resource
If (1) fails, user gets a HTTP 403, if (2) fails,
they get a HTTP 404; if (3) fails, they get a HTTP 403.
More often than not, (2) prevents "existence" detection
of resources that don't belong to the user; except in
case of "public" resources (e.g.: shares can be "public").
In some share API methods, policy checks for (1) are
happening after a bunch of processing. This leads to
some inconsistency.
Fix these occurrences to ensure a consistent user
experience.
Change-Id: I5b1f1ce517efed 000f17b1e0901e1 83a1913ba9f 153166e055c9de9 bd1786f2a8)
Related-Bug: #2004230
Signed-off-by: Goutham Pacha Ravi <email address hidden>
(cherry picked from commit 190876809f2bda4