openstack/cinder
Code Issues Proposed changes

Don't show host info to non-admins

Browse Source 
While getting volume details, if the user is a non-admin then
hide the host name.

Change-Id: Iaf0ac52d9227f9a0efbf32b1faca78c8456a84ca
Closes-Bug: #1740950
This commit is contained in:
Rajat Dhasmana 2020-05-11 08:21:09 +00:00
parent beb96cd710
commit 9d5c340130
2 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cinder/api/v2/views/volumes.py
View File

@ -91,7 +91,11 @@ class ViewBuilder(common.ViewBuilder):
'multiattach': volume.get('multiattach'), 'multiattach': volume.get('multiattach'),
} }
} }
if request.environ['cinder.context'].is_admin: ctxt = request.environ['cinder.context']
if not ctxt.is_admin:
if volume_ref.get('attachments'):
volume_ref['volume']['attachments']['host_name'] = None
if ctxt.is_admin:
volume_ref['volume']['migration_status'] = ( volume_ref['volume']['migration_status'] = (
volume.get('migration_status')) volume.get('migration_status'))
@ -100,7 +104,6 @@ class ViewBuilder(common.ViewBuilder):
group_id = volume.get('group_id') group_id = volume.get('group_id')
if group_id is not None: if group_id is not None:
# Not found exception will be handled at the wsgi level # Not found exception will be handled at the wsgi level
ctxt = request.environ['cinder.context']
grp = group_api.API().get(ctxt, group_id) grp = group_api.API().get(ctxt, group_id)
cgsnap_type = group_types.get_default_cgsnapshot_type() cgsnap_type = group_types.get_default_cgsnapshot_type()
if grp.group_type_id == cgsnap_type['id']: if grp.group_type_id == cgsnap_type['id']:

27
releasenotes/notes/fix-host-info-in-volume-details-1759280bd236421e.yaml Normal file
View File

@ -0,0 +1,27 @@
---
upgrade:
- |
Due to the fix for `Bug #1740950
<https://bugs.launchpad.net/cinder/+bug/1740950>`_, the
``host_name`` field in any object in the ``attachments``
array of the volume detail response is populated only when
the call is made in an administrative context. Otherwise,
its value is the JSON ``null`` value. This is consistent with
prior API behavior, as it has always been possible for the
value of that field to be ``null``.
security:
- |
It was possible under certain circumstances for the host name
of an instance to be leaked in the volume detail response. This
has been fixed in the current release. The ``host_name`` field
in any object in the ``attachments`` array of the volume
detail response is populated only when the call is made in an
administrative context. Otherwise, its value is the JSON ``null``
value.
fixes:
- |
`Bug #1740950 <https://bugs.launchpad.net/cinder/+bug/1740950>`_:
the ``host_name`` field in any object in the ``attachments`` array
of the volume detail response is populated only when the call is
made in an administrative context. Otherwise, its value is the
JSON ``null`` value.