From 2f2ed258f7c273543495b5476af2c3558d51384d Mon Sep 17 00:00:00 2001 From: Tom Barron Date: Wed, 1 Jul 2020 17:09:40 -0400 Subject: [PATCH] Enforce policy checks getting share-type by name Policy checks are skipped when looking up a share-type by name. This causes share creation attempts that specify a valid share-type to pass the early API check on share type even if the share type named is private and not shared with the user's project. The share creation fails later, but after the database record for the share is created. Although the operation fails with an ERROR, the share is stuck in CREATING state. Fix this issue by checking the user's project in the database API just as we do for share type lookups by uuid. Closes-bug: #1885956 Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b (cherry picked from commit f877deed5186cff3a7ecfbce2536e72fc6013895) (cherry picked from commit e02cc6d6bc92e354bc7f4220a05ec6fedf2ecc9c) --- manila/api/v1/shares.py | 3 ++- manila/db/sqlalchemy/api.py | 3 +-- ...check-getting-share-type-by-name-5eca17b02bea5261.yaml | 8 ++++++++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml diff --git a/manila/api/v1/shares.py b/manila/api/v1/shares.py index fa1fa7856f..396aedc832 100644 --- a/manila/api/v1/shares.py +++ b/manila/api/v1/shares.py @@ -364,7 +364,8 @@ class ShareMixin(object): else: share_type = share_types.get_share_type( context, req_share_type) - except exception.ShareTypeNotFound: + except (exception.ShareTypeNotFound, + exception.ShareTypeNotFoundByName): msg = _("Share type not found.") raise exc.HTTPNotFound(explanation=msg) elif not snapshot: diff --git a/manila/db/sqlalchemy/api.py b/manila/db/sqlalchemy/api.py index 389779a062..3454158516 100644 --- a/manila/db/sqlalchemy/api.py +++ b/manila/db/sqlalchemy/api.py @@ -4169,8 +4169,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None): def _share_type_get_by_name(context, name, session=None): - result = (model_query(context, models.ShareTypes, session=session). - options(joinedload('extra_specs')). + result = (_share_type_get_query(context, session=session). filter_by(name=name). first()) diff --git a/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml new file mode 100644 index 0000000000..389ec9f268 --- /dev/null +++ b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixed `launchpad bug #1885956 `_ + by ensuring that policy checks are enforced when looking up a share-type + by name. This prevents a problem where shares could be stuck in CREATING + status when a user attempts to create a share using the name of a private + share-type to which the user lacks access.