Bug 1900760 - RPC call for Namespace resource creation allows invalid target bucket names
Summary: RPC call for Namespace resource creation allows invalid target bucket names
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenShift Container Storage
Classification: Red Hat Storage
Component: Multi-Cloud Object Gateway
Version: 4.6
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: OCS 4.7.0
Assignee: Jacky Albo
QA Contact: Filip Balák
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-23 16:43 UTC by Filip Balák
Modified: 2021-05-19 09:17 UTC (History)
5 users (show)

Fixed In Version: v4.7.0-229.ci
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-19 09:16:24 UTC
Embargoed:

Attachments (Terms of Use)
Namespace Resources tab (80.75 KB, image/png)
2020-11-23 16:43 UTC, Filip Balák 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github noobaa noobaa-core pull 6342 0 None closed Bug fixes 2021-02-17 13:38:09 UTC
Github noobaa noobaa-core pull 6346 0 None closed backport to 5.7: Bug fixes 2021-02-17 13:38:09 UTC
Red Hat Bugzilla 1900749 0 unspecified CLOSED Namespace Resource reported as Healthy when target bucket deleted 2021-06-01 08:47:24 UTC
Red Hat Product Errata RHSA-2021:2041 0 None None None 2021-05-19 09:17:01 UTC

Description Filip Balák 2020-11-23 16:43:58 UTC 
Created attachment 1732620 [details]
Namespace Resources tab

Description of problem (please be detailed as possible and provide log
snippests):
RPC call for Namespace resource creation allows invalid target bucket names like epmty string or special characters. This can lead to unexpected behaviour.

Version of all relevant components (if applicable):
ocs-operator.v4.6.0-160.ci


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?
4

Can this issue reproducible?
yes

Can this issue reproduce from the UI?
No, only by using developer tools in browser.

Steps to Reproduce:
1. Create connection Connection1 in Multi Cloud Object Gateway.
2. Send RPC with parameters:
  "pool_api",
  "create_namespace_resource",
  {"name": "invalid_resource", "connection": "Connection1", "target_bucket": ""}


Actual results:
RPC successfully passes and the resource is created. Resource called "invalid_resource" is created and its target bucket is set to [object Object]. It is reported as healthy in console and there can be created Namespace bucket with it.

Expected results:
RPC call should fail and in response should be appropriate error message.

Additional info:
Comment 3 Nimrod Becker 2020-11-24 09:14:16 UTC 
Following a triage meeting, moving to 4.7
Comment 6 Filip Balák 2021-01-21 14:45:55 UTC 
When invalid bucket name is provided, message "Target bucket doesn't exist" is in response and namespace resource is not created. --> VERIFIED

Tested with:
ocs-operator.v4.7.0-236.ci
Comment 7 Mudit Agarwal 2021-02-17 14:00:38 UTC 
Nimrod, do we need doc text for this?
Comment 11 errata-xmlrpc 2021-05-19 09:16:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2041
Note You need to log in before you can comment on or make changes to this bug.