[Openstack-security] [Bug 1654598] Re: User can list other tenant's and admin's export locations

OpenStack Infra 1654598 at bugs.launchpad.net
Mon Mar 30 02:03:37 UTC 2020 

Reviewed:  https://review.opendev.org/715687
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=d2c72aff8a38502d97e74e839866627c30ed7b31
Submitter: Zuul
Branch:    stable/queens

commit d2c72aff8a38502d97e74e839866627c30ed7b31
Author: Tom Barron <tpb at dyncloud.net>
Date:   Sun Mar 1 13:12:08 2020 +0100

    Enforce policy checks for share export locations
    
    Closes-bug: #1654598
    Change-Id: I5f358266739f1c42343d5a0c5ec8109c8fcaac4d
    (cherry picked from commit 84daeb481d852d6531df11e842df1a70672d938c)
    (cherry picked from commit 02fd716bf83849873f0bccb78b851196e6acf2b7)
    (cherry picked from commit aa5e1f65cd61c57178fb864ac16bcb5c9eefb7c8)
    (cherry picked from commit 875cb87328665629778dd20951cc28e1e66d3190)


** Changed in: manila/queens
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1654598

Title:
  User can list other tenant's and admin's export locations

Status in Manila:
  Fix Released
Status in Manila ocata series:
  Won't Fix
Status in Manila pike series:
  In Progress
Status in Manila queens series:
  Fix Committed
Status in Manila rocky series:
  Fix Committed
Status in Manila stein series:
  Fix Committed
Status in Manila train series:
  Fix Committed
Status in Manila ussuri series:
  Fix Released

Bug description:
  Currently, the share export locations API is allowing any tenant to
  obtain export locations of any tenant's share.

  See the below URL:

  http://172.24.47.101:8786/v2/64350ec996cb4d91bfaa728fd7199313/shares/e93eb079-58fb-4758-9d95-a9a645b0250a/export_locations

  64350ec996cb4d91bfaa728fd7199313: this is a non-admin tenant ID

  e93eb079-58fb-4758-9d95-a9a645b0250a: this is an admin's share ID

  This is because the API layer of the share export locations controller
  is going directly to the database to obtain the export locations of
  the supplied share ID.

  The ownership check is performed at the Share/API layer, which is not
  invoked in this workflow.

  Most surprisingly of all, the tempest tests:

  - test_export_locations.ExportLocationsTest.test_list_share_export_locations_by_member
  - test_export_locations.ExportLocationsTest.test_get_share_export_location_by_member

  ... should not be passing at all (and should be negative tests), as
  they are testing if a non-admin tenant is able to obtain and list
  export locations of a share created by the admin_client used by
  tempest.

  Affected releases:
  - Liberty
  - Mitaka
  - Newton
  - Ocata

To manage notifications about this bug go to:
https://bugs.launchpad.net/manila/+bug/1654598/+subscriptions

More information about the Openstack-security mailing list