[xena][cephfs] Manila availability zone allow to use unauthorized share-type
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Triaged
|
Undecided
|
Unassigned |
Bug Description
Description
===========
It's currently possible to access a share type without any authorization. It seems availability zone has precedence over share type access. Meaning if you have only one private share type in your availability zone, everyone can access it through the AZ.
Maybe some updates from https:/
Steps to reproduce
==================
A chronological list of steps which will help reproduce the issue you hit:
* Create a share type "st1" in AZ "az1"
* Create a private share type "st2" in AZ "az2"
* Do not allow your project to access st2
* Create a share with name "shareOK" of type st1 in az1
* Create a share with name "shareBUG" of type st1 in az2
Then you have to access your FSAL file:
ShareOK:
FSAL {
Name = "Ceph";
Filesystem = "cephfs_az1";
ShareBUG:
FSAL {
Name = "Ceph";
Filesystem = "cephfs_az2";
Despite having 2 types differents and being unable to access to "st2", data will finally end into the forbidden cephfs pool
Expected result
===============
User should not be able to create the share if the selected AZ does not have a public share type
Actual result
=============
User can create a share in a ceph fs pool without any authorization
Environment
===========
dpkg -l | grep manila
ii manila-common 1:13.0.
On Ubuntu focal
Logs & Configs
==============
[cephfs_az2]
share_backend_name = cephfs_nfs_az2
ganesha_
ganesha_
driver_
share_driver = manila.
cephfs_
cephfs_conf_path = /etc/ceph/ceph.conf
cephfs_auth_id = manila
cephfs_cluster_name = ceph
cephfs_
cephfs_
cephfs_
backend_
ganesha_
[cephfs_nfs_az1]
share_backend_name = cephfs_nfs_az1
ganesha_
ganesha_
driver_
share_driver = manila.
cephfs_
cephfs_conf_path = /etc/ceph/ceph.conf
cephfs_auth_id = manila
cephfs_cluster_name = ceph
cephfs_
cephfs_
cephfs_
backend_
ganesha_
Best Regards,
Romain
tags: | added: cephfs |
summary: |
- [xena][cephfs] Manilla availability zone allow to use unauthorized + [xena][cephfs] Manila availability zone allow to use unauthorized share-type |
Changed in manila: | |
status: | New → Triaged |
Hi Romain,
Thanks for this bug report. Can we see the extra specs configured in share types st1 and st2? Are you using the "availability_ zones" extra_spec to constrain your share types to specific AZs?