Enforce policy checks getting share-type by name

Policy checks are skipped when looking up a share-type by name. This causes share creation attempts that specify a valid share-type to pass the early API check on share type even if the share type named is private and not shared with the user's project. The share creation fails later, but after the database record for the share is created. Although the operation fails with an ERROR, the share is stuck in CREATING state. Fix this issue by checking the user's project in the database API just as we do for share type lookups by uuid. Closes-bug: #1885956 Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b (cherry picked from commit f877deed51) (cherry picked from commit e02cc6d6bc) (cherry picked from commit 2f2ed258f7)
2020-07-01 17:09:40 -04:00 · 2020-07-01 17:09:40 -04:00 · 644cdf4e4f
commit 644cdf4e4f
parent ef79a1df75
3 changed files with 11 additions and 3 deletions
--- a/manila/api/v1/shares.py
+++ b/manila/api/v1/shares.py
@ -357,7 +357,8 @@ class ShareMixin(object):
                else:
                    share_type = share_types.get_share_type(
                        context, req_share_type)
-            except exception.ShareTypeNotFound:
+            except (exception.ShareTypeNotFound,
+                    exception.ShareTypeNotFoundByName):
                msg = _("Share type not found.")
                raise exc.HTTPNotFound(explanation=msg)
        elif not snapshot:
--- a/manila/db/sqlalchemy/api.py
+++ b/manila/db/sqlalchemy/api.py
@ -4028,8 +4028,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None):


 def _share_type_get_by_name(context, name, session=None):
-    result = (model_query(context, models.ShareTypes, session=session).
-              options(joinedload('extra_specs')).
+    result = (_share_type_get_query(context, session=session).
              filter_by(name=name).
              first())

--- a/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml
+++ b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    Fixed `launchpad bug #1885956 <https://bugs.launchpad.net/manila/+bug/1885956>`_
+    by ensuring that policy checks are enforced when looking up a share-type
+    by name.  This prevents a problem where shares could be stuck in CREATING
+    status when a user attempts to create a share using the name of a private
+    share-type to which the user lacks access.