manilla leaks information about volume existance of other projects

Solution In Progress - Updated -


  • It should not be possible to see any information about volumes of other projects but manila list display volumes that are not authorized to a given user:
$ manila list
| ID
| Name | [...] | Is Public | [...] |
| a57cb81d-d5fa-4f92-8898-c13558dc2a67 | arjen | [...] | False
| [...] |
  • ACLs work as expected when trying to get more details about those volumes:
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.
  • In both cases the response should be that the volume doesn't exist, a user should not be able to find out if a volume exists in another project.


  • Red Hat OpenStack Platform 16.1 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In