f18661b586
The database constraints which were present were enforcing the global uniqueness of package FQNs and the names of classes defined in them. This behavior was not correct, as the uniqueness should be enforced per tenant, so the same package may be uploaded into two isolated tenants without affecting each other. This behavior lead to a very serious security issue: any tenant could upload a package, leave it private and thus block all other tenants of the cloud from uploading the package with the same name or even other packages which contain at least one class in common with it. This could be used to intentionally block all the operations of Murano on any public environments. This fix modifies the package name constraint to be unique only in combination with owner_id, i.e. makes packages unique per tenant. Also it removes the class name uniquness check from database (as there is no cross-DB way to check it in a proper way) and adds a check method in db.api module instead. As the packages may be made public, this introduces a potential collision: if the user owns some package, and there is a public package with the same fully-qualified-name (or defining same class(es)) then the class loader of the engine will have to choise between these packages and/or classes defined in them. To resolve this collision this commit adds a logic to fetch all the patching packages and then pick the best match. Packages owned by the current tenant are the most preferred, then the engine will pick public packages, and non-owned non-public packages are the least preferred (there may be no such packages now, they may appear when we add other ways of package sharing). Closes-bug: #1440094 Change-Id: I5c9b49642dfb6e955cf0c98b42f418da3b82060a |
||
---|---|---|
.. | ||
functional | ||
unit | ||
__init__.py |