manilla leaks information about volume existance of other projects

Solution In Progress - Updated -


  • It should not be possible to see any information about volumes of other projects but manila list display volumes that are not authorized to a given user:
$ manila list
| ID
| Name | [...] | Is Public | [...] |
| a57cb81d-d5fa-4f92-8898-c13558dc2a67 | arjen | [...] | False
| [...] |
  • ACLs work as expected when trying to get more details about those volumes:
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.
  • In both cases the response should be that the volume doesn't exist, a user should not be able to find out if a volume exists in another project.


  • Red Hat OpenStack Platform 16.1 (RHOSP)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content