OpenStack Shared File Systems Service (Manila)

[RBAC] Incorrect code response while preforming some actions by reader user in different project

Bug #2004230 reported by Liron Kuchlani
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Medium
Goutham Pacha Ravi
OpenStack Shared File Systems Service (Manila) caracal-1
See original description
Tags: rbac
Liron Kuchlani (lkuchlan)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to manila-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/872260

Vida Haririan (vhariria)
tags: added: rbac
Changed in manila:
status: New → In Progress
Liron Kuchlani (lkuchlan)
summary: - [RBAC] Incorrect code response while preforming some actions by
- member/reader user in different project
+ [RBAC] Incorrect code response while preforming some actions by reader
+ user in different project
Carlos Eduardo (silvacarlose)
Changed in manila:
milestone: none → antelope-rc1
assignee: nobody → Liron Kuchlani (lkuchlan)
importance: Undecided → Medium
Goutham Pacha Ravi (gouthamr)
Changed in manila:
milestone: antelope-rc1 → bobcat-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to manila (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/884446

Carlos Eduardo (silvacarlose)
Changed in manila:
milestone: bobcat-1 → bobcat-2
Carlos Eduardo (silvacarlose)
Changed in manila:
milestone: bobcat-2 → bobcat-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/manila/+/896000

Goutham Pacha Ravi (gouthamr)
Changed in manila:
milestone: bobcat-rc1 → caracal-1
milestone: caracal-1 → bobcat-rc1
Goutham Pacha Ravi (gouthamr)
Changed in manila:
milestone: bobcat-rc1 → caracal-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/884446
Committed: https://opendev.org/openstack/manila/commit/190876809f2bda4153166e055c9de9bd1786f2a8
Submitter: "Zuul (22348)"
Branch: master

commit 190876809f2bda4153166e055c9de9bd1786f2a8
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700

    [rbac] Pull up policy checks on share/snapshot APIs

    RBAC enforcement in manila happens in stages:
    1) Does user have access to the API
    2) Does user have access to the resource
    3) Is user permitted to perform the API action on the resource

    If (1) fails, user gets a HTTP 403, if (2) fails,
    they get a HTTP 404; if (3) fails, they get a HTTP 403.

    More often than not, (2) prevents "existence" detection
    of resources that don't belong to the user; except in
    case of "public" resources (e.g.: shares can be "public").

    In some share API methods, policy checks for (1) are
    happening after a bunch of processing. This leads to
    some inconsistency.

    Fix these occurrences to ensure a consistent user
    experience.

    Change-Id: I5b1f1ce517efed000f17b1e0901e183a1913ba9f
    Related-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Goutham Pacha Ravi (gouthamr)
Changed in manila:
assignee: Liron Kuchlani (lkuchlan) → Goutham Pacha Ravi (gouthamr)
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Hi,

this bug was originally reported during the "Zed" cycle. Fixes have begun merging in the Caracal release. We'll backport the fixes to stable/2023.2 (Bobcat), stable/2023.1 (Antelope) and "Zed" releases. However, there are no plans to fix this in earlier stable branches. These stable branches are in "extended maintenance" state (or are "unmaintained"). It's up to downstream distributors to patch this issue on these branches. They may do so upstream, but we believe we'll need changes in the openstack/manila-tempest-plugin repository as well. Due to the effort involved in patching old releases, if possible, please have concerned users upgrade to newer releases of openstack/manila where this issue has been addressed.

--
Goutham

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to manila (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/manila/+/896540

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/manila/+/896764

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/manila/+/896540
Committed: https://opendev.org/openstack/manila/commit/318140e2505a946f7523e47dc6cf5b4ac34a7813
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 318140e2505a946f7523e47dc6cf5b4ac34a7813
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700

    [rbac] Pull up policy checks on share/snapshot APIs

    RBAC enforcement in manila happens in stages:
    1) Does user have access to the API
    2) Does user have access to the resource
    3) Is user permitted to perform the API action on the resource

    If (1) fails, user gets a HTTP 403, if (2) fails,
    they get a HTTP 404; if (3) fails, they get a HTTP 403.

    More often than not, (2) prevents "existence" detection
    of resources that don't belong to the user; except in
    case of "public" resources (e.g.: shares can be "public").

    In some share API methods, policy checks for (1) are
    happening after a bunch of processing. This leads to
    some inconsistency.

    Fix these occurrences to ensure a consistent user
    experience.

    Change-Id: I5b1f1ce517efed000f17b1e0901e183a1913ba9f
    Related-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 190876809f2bda4153166e055c9de9bd1786f2a8)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/manila/+/896764
Committed: https://opendev.org/openstack/manila/commit/1ee34c740bfe8f76d4c586beebc78d4b26459185
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 1ee34c740bfe8f76d4c586beebc78d4b26459185
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 20 21:35:09 2023 -0700

    Fix policy check in metadata APIs

    When a user doesn't have access to a non-public
    resource, the appropriate response is HTTP 404,
    not HTTP 403.

    Change-Id: I62afec521c5cdfdd67ab83da40e69e6a2688c737
    Closes-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 267a67dafe2fcf0d23aa962fa39ba9748da94feb)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/manila/+/897967

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

All changes have merged in the Caracal release; and backports are being pursued until stable/zed as stated.. marking this as "Fix released". Please see further updates, or follow progress on Gerrit to know if the changes have landed in specific branches you're interested in

Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/896000
Committed: https://opendev.org/openstack/manila/commit/ad29f8a06513342fb63d665a36e16549ecf3aefc
Submitter: "Zuul (22348)"
Branch: master

commit ad29f8a06513342fb63d665a36e16549ecf3aefc
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 20 21:35:09 2023 -0700

    Fix policy check in metadata APIs

    When a user doesn't have access to a non-public
    resource, the appropriate response is HTTP 404,
    not HTTP 403.

    Change-Id: I62afec521c5cdfdd67ab83da40e69e6a2688c737
    Closes-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to manila (stable/zed)

Related fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/manila/+/898489

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/manila/+/898490

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 17.1.0

This issue was fixed in the openstack/manila 17.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/manila-tempest-plugin/+/872260
Committed: https://opendev.org/openstack/manila-tempest-plugin/commit/2c06e81bfdbe72297b9fbc0c8d571c0ea51ab443
Submitter: "Zuul (22348)"
Branch: master

commit 2c06e81bfdbe72297b9fbc0c8d571c0ea51ab443
Author: lkuchlan <email address hidden>
Date: Tue Jan 31 08:04:24 2023 +0200

    Change the expected status response from Forbidden to NotFound

    In some share metadata operations performed on a share resource
    in another project by member and reader users, the response
    code is 403/Forbidden but actually it should be 404/Not Found.

    Related-Bug: #2004230
    Change-Id: I23f592aa0616dd000c91366056b19f73d4a92fa5

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/manila/+/897990
Committed: https://opendev.org/openstack/manila/commit/8edaa3254c589c20443accc21eb732038158c59f
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 8edaa3254c589c20443accc21eb732038158c59f
Author: Goutham Pacha Ravi <email address hidden>
Date: Thu May 25 15:20:31 2023 -0700

    [rbac] Pull up policy checks on share/snapshot APIs

    RBAC enforcement in manila happens in stages:
    1) Does user have access to the API
    2) Does user have access to the resource
    3) Is user permitted to perform the API action on the resource

    If (1) fails, user gets a HTTP 403, if (2) fails,
    they get a HTTP 404; if (3) fails, they get a HTTP 403.

    More often than not, (2) prevents "existence" detection
    of resources that don't belong to the user; except in
    case of "public" resources (e.g.: shares can be "public").

    In some share API methods, policy checks for (1) are
    happening after a bunch of processing. This leads to
    some inconsistency.

    Fix these occurrences to ensure a consistent user
    experience.

    Change-Id: I5b1f1ce517efed000f17b1e0901e183a1913ba9f
    Related-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit 190876809f2bda4153166e055c9de9bd1786f2a8)
    (cherry picked from commit 318140e2505a946f7523e47dc6cf5b4ac34a7813)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/manila/+/897967
Committed: https://opendev.org/openstack/manila/commit/d5c2eb1124a9f44b3ad71c6cfdb01f7fa80ee88d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit d5c2eb1124a9f44b3ad71c6cfdb01f7fa80ee88d
Author: Goutham Pacha Ravi <email address hidden>
Date: Wed Sep 20 21:35:09 2023 -0700

    Fix policy check in metadata APIs

    When a user doesn't have access to a non-public
    resource, the appropriate response is HTTP 404,
    not HTTP 403.

    Change-Id: I62afec521c5cdfdd67ab83da40e69e6a2688c737
    Closes-Bug: #2004230
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit ad29f8a06513342fb63d665a36e16549ecf3aefc)
    (cherry picked from commit 1ee34c740bfe8f76d4c586beebc78d4b26459185)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.