Open Stack

Hi,

It looks like there is a confusion between 3 things
1) Multiattach volume type
2) multiattach flag on the volume
3) The policy volume:multiattach

I will try to briefly describe all of the 3 so there is clarity on the
issue.
1) Multiattach volume type: This is a volume type created with an extra
spec *multiattach="<is> True"*. This allows multiattach volumes to be
created by using this type.
Previously we used to allow a parameter *--allow-multiattach* while
creating the volume. This was deprecated in Queens and removed in Train in
favor of the volume type way of creating the multiattach volume[1].
2) Multiattach flag of a volume: This is a parameter of volume that
specifies if a volume is multiattach or not.
3) volume:multiattach policy: The policy verifies if the user creating a
multiattach volume is *member* or *admin* (and not *reader*).

Coming to the issue, I verified that what you're observing is correct. We
removed the support for providing the "multiattach" flag from cinderclient
and openstackclient but there still exists code on the API side that allows
you to provide "multiattach": "True" in the JSON body of a curl command to
create a multiattach volume.
I will work on fixing the issue on the API side. In the meantime, can you
report an issue on launchpad for the same?

https://bugs.launchpad.net/cinder/+filebug

*Snippet of curl command*
$ curl -g -i -X POST
http://127.0.0.1/volume/v3/a5df9e29f521464f9158ff7a30b7e51f/volumes -H
"Accept: application/json" -H "Content-Type: application/json" -H
"User-Agent: python-cinderclient" -H "X-Auth-Token:
gAAAAABj9zDtZO1mTld-BC-Yd8FRHDunc4-Xyg1jsgLembA-Ke7cr8aA4kCHHYYB4EPvhq1xL02FBYuXahhYBl_nKWjVbOTpd7R3kS4Libf-Kd9ackaYpWq4Mq4g7-2ORi7FcVg2IOdj3wUkDWegu9lI5PI-brNsAGUh8R1fW_y5bpDYWtfEFdw"
-d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id":
null, "name": null, "description": null, "volume_type": null,
"availability_zone": null, "metadata": {}, "imageRef": null,
"source_volid": null, "backup_id": null, "multiattach": "True"}}'
HTTP/1.1 202 Accepted
Date: Thu, 23 Feb 2023 09:25:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: application/json
x-compute-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
Content-Length: 798
OpenStack-API-Version: volume 3.0
Vary: OpenStack-API-Version
x-openstack-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
Connection: close

[1]
https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

Thanks
Rajat Dhasmana

On Thu, Feb 23, 2023 at 3:08 AM Albert Braden <ozzzo at yahoo.com> wrote:

> We didn't create a multi-attach volume type, and when we try to create a
> multi-attach volume via CLI we aren't able to. It appears that our customer
> was able to circumvent the restriction by using the API via TF. Is this a
> bug?
> On Wednesday, February 22, 2023, 02:32:57 PM EST, Danny Webb <
> danny.webb at thehutgroup.com> wrote:
>
>
> Creating a volume is not the same as creating a volume type.  A tenant can
> consume a volume type that allows multi-attach with no issue as you see in
> that policy.
> ------------------------------
> *From:* Albert Braden <ozzzo at yahoo.com>
> *Sent:* 22 February 2023 17:12
> *To:* Openstack-discuss <openstack-discuss at lists.openstack.org>
> *Subject:* [kolla] [train] [cinder] Volume multiattach exposed to
> non-admin users via API
>
> CAUTION: This email originates from outside THG
>
> According to this document [1] multiattach volumes can only be setup if
> explicitly allowed by creating a “multiattach” volume type.
>
> “Starting from the Queens release the ability to attach a volume to
> multiple hosts/servers requires that the volume is of a special type that
> includes an extra-spec capability setting of multiattach=<is> True…
> Creating a new volume type is an admin-only operation by default.
>
> One of our customers appears to have used TerraForm to create a volume
> with the multiattach flag set and it worked, and that volume has multiple
> attachments. When I look here [2] it appears that the default is:
>
> #"volume:multiattach": "rule:xena_system_admin_or_project_member"
>
> So it looks like, by default, any project member can create a multiattach
> volume. What am I missing?
>
> [1]:
> https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html
> [2]:
> https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file
>
> *Danny Webb*
> Principal OpenStack Engineer
> Danny.Webb at thehutgroup.com
> [image: THG Ingenuity Logo]
> www.thg.com
> <https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk>
> <https://twitter.com/thgingenuity?lang=en>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230223/d166fbe3/attachment.htm>