Open Stack

---- On Thu, 23 Feb 2023 01:33:12 -0800  Rajat Dhasmana  wrote --- 
 > Hi,
 > It looks like there is a confusion between 3 things1) Multiattach volume type2) multiattach flag on the volume3) The policy volume:multiattach
 > I will try to briefly describe all of the 3 so there is clarity on the issue.1) Multiattach volume type: This is a volume type created with an extra spec multiattach=" True". This allows multiattach volumes to be created by using this type.Previously we used to allow a parameter --allow-multiattach while creating the volume. This was deprecated in Queens and removed in Train in favor of the volume type way of creating the multiattach volume[1].2) Multiattach flag of a volume: This is a parameter of volume that specifies if a volume is multiattach or not.3) volume:multiattach policy: The policy verifies if the user creating a multiattach volume is member or admin (and not reader).
 > Coming to the issue, I verified that what you're observing is correct. We removed the support for providing the "multiattach" flag from cinderclient and openstackclient but there still exists code on the API side that allows you to provide "multiattach": "True" in the JSON body of a curl command to create a multiattach volume.I will work on fixing the issue on the API side. 

I think removing from client is good way to stop exposing this old/not-recommended way to users
but API is separate things and removing the API request parameter 'multiattach' from it can break
the existing users using it this way. Tempest test is one good example of such users use case. To maintain
the backward compatibility/interoperability it should be removed by bumping the microversion so that
it continue working for older microversions. This way we will not break the existing users and will
provide the new way for users to start using.

Similar way in Nova we have lot of deprecated API and we need to keep them for older microversions.
-gmann

In the meantime, can you report an issue on launchpad for the same?
 > https://bugs.launchpad.net/cinder/+filebug
 > 
 > Snippet of curl command$ curl -g -i -X POST http://127.0.0.1/volume/v3/a5df9e29f521464f9158ff7a30b7e51f/volumes -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: gAAAAABj9zDtZO1mTld-BC-Yd8FRHDunc4-Xyg1jsgLembA-Ke7cr8aA4kCHHYYB4EPvhq1xL02FBYuXahhYBl_nKWjVbOTpd7R3kS4Libf-Kd9ackaYpWq4Mq4g7-2ORi7FcVg2IOdj3wUkDWegu9lI5PI-brNsAGUh8R1fW_y5bpDYWtfEFdw" -d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id": null, "name": null, "description": null, "volume_type": null, "availability_zone": null, "metadata": {}, "imageRef": null, "source_volid": null, "backup_id": null, "multiattach": "True"}}'
 > HTTP/1.1 202 Accepted
 > Date: Thu, 23 Feb 2023 09:25:23 GMT
 > Server: Apache/2.4.41 (Ubuntu)
 > Content-Type: application/json
 > x-compute-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
 > Content-Length: 798
 > OpenStack-API-Version: volume 3.0
 > Vary: OpenStack-API-Version
 > x-openstack-request-id: req-131b4a2d-f9d4-4d9d-b99c-c52012056dec
 > Connection: close
 > 
 > [1] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075
 > ThanksRajat Dhasmana
 > On Thu, Feb 23, 2023 at 3:08 AM Albert Braden ozzzo at yahoo.com> wrote:
 >                 We didn't create a multi-attach volume type, and when we try to create a multi-attach volume via CLI we aren't able to. It appears that our customer was able to circumvent the restriction by using the API via TF. Is this a bug?
 >                                                                                                     On Wednesday, February 22, 2023, 02:32:57 PM EST, Danny Webb danny.webb at thehutgroup.com> wrote:                                
 >                 
 >                  Creating a volume is not the same as creating a volume type.  A tenant can consume a volume type that allows multi-attach with no issue as you see in that policy.  
 > 
 > From: Albert Braden ozzzo at yahoo.com>
 > Sent: 22 February 2023 17:12
 > To: Openstack-discuss openstack-discuss at lists.openstack.org>
 > Subject: [kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API CAUTION: This email originates from outside THG
 > 
 > According to this document [1] multiattach volumes can only be setup if explicitly allowed by creating a “multiattach” volume type.
 > 
 > “Starting from the Queens release the ability to attach a volume to multiple hosts/servers requires that the volume is of a special type that includes an extra-spec capability setting of multiattach= True… Creating a new volume type is an admin-only operation by default.
 > 
 > One of our customers appears to have used TerraForm to create a volume with the multiattach flag set and it worked, and that volume has multiple attachments. When I look here [2] it appears that the default is:
 > 
 > #"volume:multiattach": "rule:xena_system_admin_or_project_member"
 > 
 > So it looks like, by default, any project member can create a multiattach volume. What am I missing?
 > 
 > [1]: https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html
 > [2]: https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file
 >   
 > Danny Webb 
 > Principal OpenStack Engineer 
 > Danny.Webb at thehutgroup.com 
 >  
 >  
 > www.thg.com 
 >   
 >