[kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API
Albert Braden
ozzzo at yahoo.com
Thu Feb 23 14:37:40 UTC 2023
Opened https://bugs.launchpad.net/cinder/+bug/2008259
On Thursday, February 23, 2023, 04:41:10 AM EST, Rajat Dhasmana <rdhasman at redhat.com> wrote:
Hi,
It looks like there is a confusion between 3 things1) Multiattach volume type2) multiattach flag on the volume3) The policy volume:multiattach
I will try to briefly describe all of the 3 so there is clarity on the issue.1) Multiattach volume type: This is a volume type created with an extra spec multiattach="<is> True". This allows multiattach volumes to be created by using this type.Previously we used to allow a parameter --allow-multiattach while creating the volume. This was deprecated in Queens and removed in Train in favor of the volume type way of creating the multiattach volume[1].2) Multiattach flag of a volume: This is a parameter of volume that specifies if a volume is multiattach or not.3) volume:multiattach policy: The policy verifies if the user creating a multiattach volume is member or admin (and not reader).
Coming to the issue, I verified that what you're observing is correct. We removed the support for providing the "multiattach" flag from cinderclient and openstackclient but there still exists code on the API side that allows you to provide "multiattach": "True" in the JSON body of a curl command to create a multiattach volume.I will work on fixing the issue on the API side. In the meantime, can you report an issue on launchpad for the same?
https://bugs.launchpad.net/cinder/+filebug
Snippet of curl command$ curl -g -i -X POST http://127.0.0.1/volume/v3/a5df9e29f521464f9158ff7a30b7e51f/volumes -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: gAAAAABj9zDtZO1mTld-BC-Yd8FRHDunc4-Xyg1jsgLembA-Ke7cr8aA4kCHHYYB4EPvhq1xL02FBYuXahhYBl_nKWjVbOTpd7R3kS4Libf-Kd9ackaYpWq4Mq4g7-2ORi7FcVg2IOdj3wUkDWegu9lI5PI-brNsAGUh8R1fW_y5bpDYWtfEFdw" -d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id": null, "name": null, "description": null, "volume_type": null, "availability_zone": null, "metadata": {}, "imageRef": null, "source_volid": null, "backup_id": null, "multiattach": "True"}}'
HTTP/1.1 202 Accepted
Date: Thu, 23 Feb 2023 09:25:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: application/json
x-compute-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
Content-Length: 798
OpenStack-API-Version: volume 3.0
Vary: OpenStack-API-Version
x-openstack-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
Connection: close
[1] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075
ThanksRajat Dhasmana
On Thu, Feb 23, 2023 at 3:08 AM Albert Braden <ozzzo at yahoo.com> wrote:
We didn't create a multi-attach volume type, and when we try to create a multi-attach volume via CLI we aren't able to. It appears that our customer was able to circumvent the restriction by using the API via TF. Is this a bug?
On Wednesday, February 22, 2023, 02:32:57 PM EST, Danny Webb <danny.webb at thehutgroup.com> wrote:
Creating a volume is not the same as creating a volume type. A tenant can consume a volume type that allows multi-attach with no issue as you see in that policy.
From: Albert Braden <ozzzo at yahoo.com>
Sent: 22 February 2023 17:12
To: Openstack-discuss <openstack-discuss at lists.openstack.org>
Subject: [kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API CAUTION: This email originates from outside THG
According to this document [1] multiattach volumes can only be setup if explicitly allowed by creating a “multiattach” volume type.
“Starting from the Queens release the ability to attach a volume to multiple hosts/servers requires that the volume is of a special type that includes an extra-spec capability setting of multiattach=<is> True… Creating a new volume type is an admin-only operation by default.
One of our customers appears to have used TerraForm to create a volume with the multiattach flag set and it worked, and that volume has multiple attachments. When I look here [2] it appears that the default is:
#"volume:multiattach": "rule:xena_system_admin_or_project_member"
So it looks like, by default, any project member can create a multiattach volume. What am I missing?
[1]: https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html
[2]: https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file
| |
| Danny Webb |
| Principal OpenStack Engineer |
| Danny.Webb at thehutgroup.com |
| |
| |
| www.thg.com |
| |
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230223/a9cf004e/attachment-0001.htm>
More information about the openstack-discuss
mailing list