manilla leaks information about volume existance of other projects
Issue
- It should not be possible to see any information about volumes of other projects but
manila listdisplay volumes that are not authorized to a given user:
$ manila list
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| ID
| Name | [...] | Is Public | [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
| a57cb81d-d5fa-4f92-8898-c13558dc2a67 | arjen | [...] | False
| [...] |
+--------------------------------------+-------+-[...]-+-----------+-[...]-+
- ACLs work as expected when trying to get more details about those volumes:
$ manila show b0758fbd-bb1c-47e7-875e-b72336111709
ERROR: Policy doesn't allow share:get to be performed. (HTTP 403) (Request-ID: req-50e432e1-
b463-416b-9e79-769e68b9f6b1)
$ manila show b0758fbd-bb1c-47e7-875e-b7233611170f
ERROR: No share with a name or ID of 'b0758fbd-bb1c-47e7-875e-b7233611170f' exists.
- In both cases the response should be that the volume doesn't exist, a user should not be able to find out if a volume exists in another project.
Environment
- Red Hat OpenStack Platform 16.1 (RHOSP)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
