[kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API

Danny Webb Danny.Webb at thehutgroup.com
Wed Feb 22 19:23:30 UTC 2023 

Creating a volume is not the same as creating a volume type.  A tenant can consume a volume type that allows multi-attach with no issue as you see in that policy.
________________________________
From: Albert Braden <ozzzo at yahoo.com>
Sent: 22 February 2023 17:12
To: Openstack-discuss <openstack-discuss at lists.openstack.org>
Subject: [kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API

CAUTION: This email originates from outside THG

According to this document [1] multiattach volumes can only be setup if explicitly allowed by creating a “multiattach” volume type.

“Starting from the Queens release the ability to attach a volume to multiple hosts/servers requires that the volume is of a special type that includes an extra-spec capability setting of multiattach=<is> True… Creating a new volume type is an admin-only operation by default.

One of our customers appears to have used TerraForm to create a volume with the multiattach flag set and it worked, and that volume has multiple attachments. When I look here [2] it appears that the default is:

#"volume:multiattach": "rule:xena_system_admin_or_project_member"

So it looks like, by default, any project member can create a multiattach volume. What am I missing?

[1]: https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html<https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html>
[2]: https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file<https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file>

Danny Webb
Principal OpenStack Engineer
Danny.Webb at thehutgroup.com
[THG Ingenuity Logo]
www.thg.com<https://www.thg.com>
[https://i.imgur.com/wbpVRW6.png]<https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk> [https://i.imgur.com/c3040tr.png] <https://twitter.com/thgingenuity?lang=en>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230222/f1544b34/attachment-0001.htm>

More information about the openstack-discuss mailing list