OpenStack Shared File Systems Service (Manila)

host prefixes for access allow should conflict with /32 and /128 prefixes

Bug #1767430 reported by Tom Barron on 2018-04-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Shared File Systems Service (Manila)	Fix Released	High	Goutham Pacha Ravi

Bug Description

When used in 'manila access-allow' 172.17.5.13 and 172.17.5.13/32 select the same single IP; as do 2620:52:0:13b8::fe:e7 and 2620:52:0:13b8::fe:e7/128. Yet one can do 'manila access-allow' for all of these with contradictory access_level specifications so that it is ambiguous whether access should be read-write or read-only for a given host.

The API should generate a CONFLICT error when contradictory access-allow commands are entered, just as it does when one issues and access allow command for a host address or for a prefix for which there is already an access rule.

Tags:

Revision history for this message

Ben Swartzlander (bswartz) wrote on 2018-05-10:

The fix for this bug should include API tests to detect regressions

Changed in manila:
importance:	Undecided → High
status:	New → Triaged

Goutham Pacha Ravi (gouthamr) on 2018-05-10

Changed in manila:
assignee:	nobody → Goutham Pacha Ravi (gouthamr)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-14: Fix proposed to manila (master)

Fix proposed to branch: master
Review: https://review.openstack.org/568364

Changed in manila:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-14: Related fix proposed to manila-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/568393

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-05-24: Fix merged to manila (master)

Reviewed: https://review.openstack.org/568364
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=50f957eefdd97eca470ae66adad3e993aa8aaaa8
Submitter: Zuul
Branch: master

commit 50f957eefdd97eca470ae66adad3e993aa8aaaa8
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon May 14 12:50:38 2018 -0700

Fix access control for single host addresses

    In CIDR notation, the max prefix-length is typically
    used to denote individual host addresses, for example:
    2620:52:0:13b8::fe:e7 and 2620:52:0:13b8::fe:e7/128
    are semantically the same.

    Fix the access-allow API to raise 400 Bad Request if
    an address by either notation already exists in the
    manila database for a given share.

Change-Id: I6e790fd0edd82064a3c5cda8a919c9eeb2da85d0
Closes-Bug: 1767430

Changed in manila:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-07: Fix included in openstack/manila 7.0.0.0b2

This issue was fixed in the openstack/manila 7.0.0.0b2 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-12: Related fix merged to manila-tempest-plugin (master)

Reviewed: https://review.openstack.org/568393
Committed: https://git.openstack.org/cgit/openstack/manila-tempest-plugin/commit/?id=7c56035bb68d16b52b73de17b61c3bb08e18fe82
Submitter: Zuul
Branch: master

commit 7c56035bb68d16b52b73de17b61c3bb08e18fe82
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon May 14 16:13:01 2018 -0700

Test access control for single host addresses

    In CIDR notation, the max prefix-length is typically
    used to denote individual host addresses, for example:
    2620:52:0:13b8::fe:e7 and 2620:52:0:13b8::fe:e7/128
    are semantically the same.

Test the fix submitted in
I6e790fd0edd82064a3c5cda8a919c9eeb2da85d0

    Depends-On: https://review.openstack.org/#/c/568364/
    Depends-On: https://review.openstack.org/#/c/568650
    Change-Id: Ife0db1db1b3c1efc99b34da972701cf6011e907a
    Related-Bug: 1767430

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-15: Fix proposed to manila (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/575595

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-18: Fix merged to manila (stable/queens)

Reviewed: https://review.openstack.org/575595
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=8ac7bf43e7bf4c032a131864d539b89e8ce60101
Submitter: Zuul
Branch: stable/queens

commit 8ac7bf43e7bf4c032a131864d539b89e8ce60101
Author: Goutham Pacha Ravi <email address hidden>
Date: Mon May 14 12:50:38 2018 -0700

Fix access control for single host addresses

    In CIDR notation, the max prefix-length is typically
    used to denote individual host addresses, for example:
    2620:52:0:13b8::fe:e7 and 2620:52:0:13b8::fe:e7/128
    are semantically the same.

    Fix the access-allow API to raise 400 Bad Request if
    an address by either notation already exists in the
    manila database for a given share.

    Change-Id: I6e790fd0edd82064a3c5cda8a919c9eeb2da85d0
    Closes-Bug: 1767430
    (cherry picked from commit 50f957eefdd97eca470ae66adad3e993aa8aaaa8)

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-07-27: Fix included in openstack/manila 6.0.2

This issue was fixed in the openstack/manila 6.0.2 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.