User can list other tenant's and admin's export locations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Low
|
Goutham Pacha Ravi | ||
Ocata |
Won't Fix
|
Wishlist
|
Unassigned | ||
Pike |
Won't Fix
|
Low
|
Goutham Pacha Ravi | ||
Queens |
Fix Released
|
Low
|
Tom Barron | ||
Rocky |
Fix Released
|
Low
|
Tom Barron | ||
Stein |
Fix Released
|
Low
|
Goutham Pacha Ravi | ||
Train |
Fix Released
|
Low
|
Goutham Pacha Ravi | ||
Ussuri |
Fix Released
|
Low
|
Goutham Pacha Ravi |
Bug Description
Currently, the share export locations API is allowing any tenant to obtain export locations of any tenant's share.
See the below URL:
64350ec996cb4d9
e93eb079-
This is because the API layer of the share export locations controller is going directly to the database to obtain the export locations of the supplied share ID.
The ownership check is performed at the Share/API layer, which is not invoked in this workflow.
Most surprisingly of all, the tempest tests:
- test_export_
- test_export_
... should not be passing at all (and should be negative tests), as they are testing if a non-admin tenant is able to obtain and list export locations of a share created by the admin_client used by tempest.
Affected releases:
- Liberty
- Mitaka
- Newton
- Ocata
Changed in manila: | |
importance: | High → Low |
information type: | Private Security → Public Security |
Changed in manila: | |
status: | Confirmed → In Progress |
Changed in manila: | |
assignee: | Tom Barron (tpb) → Goutham Pacha Ravi (gouthamr) |
tags: | added: security |
information type: | Public Security → Public |
tags: | added: in-stable-stein in-stable-train |
Recommended workaround for this bug: don't share the UUIDs of shares with other tenants.
Risk for this bug is fairly low because UUIDs are impossible to guess and a successful security breach would require obtaining the UUIDs using another security exploit. Also, this bug leaks sensitive information but doesn't allow actual access to the data unless a separate exploit is used to bypass share access control.