From 644cdf4e4ff965cb96b8cce5396042b6ac8abe7e Mon Sep 17 00:00:00 2001 From: Tom Barron Date: Wed, 1 Jul 2020 17:09:40 -0400 Subject: [PATCH] Enforce policy checks getting share-type by name Policy checks are skipped when looking up a share-type by name. This causes share creation attempts that specify a valid share-type to pass the early API check on share type even if the share type named is private and not shared with the user's project. The share creation fails later, but after the database record for the share is created. Although the operation fails with an ERROR, the share is stuck in CREATING state. Fix this issue by checking the user's project in the database API just as we do for share type lookups by uuid. Closes-bug: #1885956 Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b (cherry picked from commit f877deed5186cff3a7ecfbce2536e72fc6013895) (cherry picked from commit e02cc6d6bc92e354bc7f4220a05ec6fedf2ecc9c) (cherry picked from commit 2f2ed258f7c273543495b5476af2c3558d51384d) --- manila/api/v1/shares.py | 3 ++- manila/db/sqlalchemy/api.py | 3 +-- ...check-getting-share-type-by-name-5eca17b02bea5261.yaml | 8 ++++++++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml diff --git a/manila/api/v1/shares.py b/manila/api/v1/shares.py index 4c782cb23b..c6f5183bc0 100644 --- a/manila/api/v1/shares.py +++ b/manila/api/v1/shares.py @@ -357,7 +357,8 @@ class ShareMixin(object): else: share_type = share_types.get_share_type( context, req_share_type) - except exception.ShareTypeNotFound: + except (exception.ShareTypeNotFound, + exception.ShareTypeNotFoundByName): msg = _("Share type not found.") raise exc.HTTPNotFound(explanation=msg) elif not snapshot: diff --git a/manila/db/sqlalchemy/api.py b/manila/db/sqlalchemy/api.py index 9d7ddae2fb..71c4e6e286 100644 --- a/manila/db/sqlalchemy/api.py +++ b/manila/db/sqlalchemy/api.py @@ -4028,8 +4028,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None): def _share_type_get_by_name(context, name, session=None): - result = (model_query(context, models.ShareTypes, session=session). - options(joinedload('extra_specs')). + result = (_share_type_get_query(context, session=session). filter_by(name=name). first()) diff --git a/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml new file mode 100644 index 0000000000..389ec9f268 --- /dev/null +++ b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixed `launchpad bug #1885956 `_ + by ensuring that policy checks are enforced when looking up a share-type + by name. This prevents a problem where shares could be stuck in CREATING + status when a user attempts to create a share using the name of a private + share-type to which the user lacks access.