Browse Source

Enforce policy checks getting share-type by name

Policy checks are skipped when looking up a share-type
by name.  This causes share creation attempts that specify
a valid share-type to pass the early API check on share type
even if the share type named is private and not shared with
the user's project.  The share creation fails later, but after
the database record for the share is created.  Although the
operation fails with an ERROR, the share is stuck in CREATING
state.

Fix this issue by checking the user's project in the database
API just as we do for share type lookups by uuid.

Closes-bug: #1885956
Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b
(cherry picked from commit f877deed51)
(cherry picked from commit e02cc6d6bc)
(cherry picked from commit 2f2ed258f7)
changes/43/742043/1
Tom Barron 1 month ago
committed by Goutham Pacha Ravi
parent
commit
644cdf4e4f
3 changed files with 11 additions and 3 deletions
  1. +2
    -1
      manila/api/v1/shares.py
  2. +1
    -2
      manila/db/sqlalchemy/api.py
  3. +8
    -0
      releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml

+ 2
- 1
manila/api/v1/shares.py View File

@@ -357,7 +357,8 @@ class ShareMixin(object):
else:
share_type = share_types.get_share_type(
context, req_share_type)
except exception.ShareTypeNotFound:
except (exception.ShareTypeNotFound,
exception.ShareTypeNotFoundByName):
msg = _("Share type not found.")
raise exc.HTTPNotFound(explanation=msg)
elif not snapshot:


+ 1
- 2
manila/db/sqlalchemy/api.py View File

@@ -4028,8 +4028,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None):


def _share_type_get_by_name(context, name, session=None):
result = (model_query(context, models.ShareTypes, session=session).
options(joinedload('extra_specs')).
result = (_share_type_get_query(context, session=session).
filter_by(name=name).
first())



+ 8
- 0
releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml View File

@@ -0,0 +1,8 @@
---
fixes:
- |
Fixed `launchpad bug #1885956 <https://bugs.launchpad.net/manila/+bug/1885956>`_
by ensuring that policy checks are enforced when looking up a share-type
by name. This prevents a problem where shares could be stuck in CREATING
status when a user attempts to create a share using the name of a private
share-type to which the user lacks access.

Loading…
Cancel
Save