From 11971a94d3205b42ee9e2f7c9978b4bb979fdd71 Mon Sep 17 00:00:00 2001 From: Tom Barron Date: Wed, 1 Jul 2020 17:09:40 -0400 Subject: [PATCH] Enforce policy checks getting share-type by name Policy checks are skipped when looking up a share-type by name. This causes share creation attempts that specify a valid share-type to pass the early API check on share type even if the share type named is private and not shared with the user's project. The share creation fails later, but after the database record for the share is created. Although the operation fails with an ERROR, the share is stuck in CREATING state. Fix this issue by checking the user's project in the database API just as we do for share type lookups by uuid. Closes-bug: #1885956 Change-Id: If5fe32c155fe0861b3ed86b862335e062796056b (cherry picked from commit f877deed5186cff3a7ecfbce2536e72fc6013895) (cherry picked from commit e02cc6d6bc92e354bc7f4220a05ec6fedf2ecc9c) (cherry picked from commit 2f2ed258f7c273543495b5476af2c3558d51384d) (cherry picked from commit 644cdf4e4ff965cb96b8cce5396042b6ac8abe7e) --- manila/api/v1/shares.py | 3 ++- manila/db/sqlalchemy/api.py | 3 +-- ...check-getting-share-type-by-name-5eca17b02bea5261.yaml | 8 ++++++++ 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml diff --git a/manila/api/v1/shares.py b/manila/api/v1/shares.py index 2d8fd9e8d6..d56a292e46 100644 --- a/manila/api/v1/shares.py +++ b/manila/api/v1/shares.py @@ -347,7 +347,8 @@ class ShareMixin(object): else: share_type = share_types.get_share_type( context, req_share_type) - except exception.ShareTypeNotFound: + except (exception.ShareTypeNotFound, + exception.ShareTypeNotFoundByName): msg = _("Share type not found.") raise exc.HTTPNotFound(explanation=msg) elif not snapshot: diff --git a/manila/db/sqlalchemy/api.py b/manila/db/sqlalchemy/api.py index e169d9819d..b898c43667 100644 --- a/manila/db/sqlalchemy/api.py +++ b/manila/db/sqlalchemy/api.py @@ -3938,8 +3938,7 @@ def share_type_get(context, id, inactive=False, expected_fields=None): def _share_type_get_by_name(context, name, session=None): - result = (model_query(context, models.ShareTypes, session=session). - options(joinedload('extra_specs')). + result = (_share_type_get_query(context, session=session). filter_by(name=name). first()) diff --git a/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml new file mode 100644 index 0000000000..389ec9f268 --- /dev/null +++ b/releasenotes/notes/bug-1885956-enforce-policy-check-getting-share-type-by-name-5eca17b02bea5261.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + Fixed `launchpad bug #1885956 `_ + by ensuring that policy checks are enforced when looking up a share-type + by name. This prevents a problem where shares could be stuck in CREATING + status when a user attempts to create a share using the name of a private + share-type to which the user lacks access.