[Openstack-security] [Bug 1654598] Re: User can list other tenant's and admin's export locations
OpenStack Infra
1654598 at bugs.launchpad.net
Tue Mar 24 15:16:18 UTC 2020
Fix proposed to branch: stable/train
Review: https://review.opendev.org/714674
** Changed in: manila/train
Status: New => In Progress
** Changed in: manila/train
Assignee: (unassigned) => Goutham Pacha Ravi (gouthamr)
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1654598
Title:
User can list other tenant's and admin's export locations
Status in Manila:
Fix Released
Status in Manila ocata series:
New
Status in Manila pike series:
New
Status in Manila queens series:
New
Status in Manila rocky series:
New
Status in Manila stein series:
New
Status in Manila train series:
In Progress
Status in Manila ussuri series:
Fix Released
Bug description:
Currently, the share export locations API is allowing any tenant to
obtain export locations of any tenant's share.
See the below URL:
http://172.24.47.101:8786/v2/64350ec996cb4d91bfaa728fd7199313/shares/e93eb079-58fb-4758-9d95-a9a645b0250a/export_locations
64350ec996cb4d91bfaa728fd7199313: this is a non-admin tenant ID
e93eb079-58fb-4758-9d95-a9a645b0250a: this is an admin's share ID
This is because the API layer of the share export locations controller
is going directly to the database to obtain the export locations of
the supplied share ID.
The ownership check is performed at the Share/API layer, which is not
invoked in this workflow.
Most surprisingly of all, the tempest tests:
- test_export_locations.ExportLocationsTest.test_list_share_export_locations_by_member
- test_export_locations.ExportLocationsTest.test_get_share_export_location_by_member
... should not be passing at all (and should be negative tests), as
they are testing if a non-admin tenant is able to obtain and list
export locations of a share created by the admin_client used by
tempest.
Affected releases:
- Liberty
- Mitaka
- Newton
- Ocata
To manage notifications about this bug go to:
https://bugs.launchpad.net/manila/+bug/1654598/+subscriptions
More information about the Openstack-security
mailing list