manilla leaks information about volume existance of other projects

Solution In Progress - Updated -

Issue

  • It should not be possible to see any information about volumes of other projects but manila list display volumes that are not authorized to a given user:
$ manila list
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| ID
| Name | [...] | Is Public | [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| a57cb81d-d5fa-4f92-8898-c13558dc2a67 | arjen | [...] | False
| [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
  • ACLs work as expected when trying to get more details about those volumes:
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-
b463-416b-9e79-769e68b9f6b1)
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.
  • In both cases the response should be that the volume doesn't exist, a user should not be able to find out if a volume exists in another project.

Environment

  • Red Hat OpenStack Platform 16.1 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In