[kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API

Albert Braden ozzzo at yahoo.com
Wed Feb 22 21:33:54 UTC 2023 

 We didn't create a multi-attach volume type, and when we try to create a multi-attach volume via CLI we aren't able to. It appears that our customer was able to circumvent the restriction by using the API via TF. Is this a bug?
     On Wednesday, February 22, 2023, 02:32:57 PM EST, Danny Webb <danny.webb at thehutgroup.com> wrote:  
 
  #yiv9135123901 P {margin-top:0;margin-bottom:0;}Creating a volume is not the same as creating a volume type.  A tenant can consume a volume type that allows multi-attach with no issue as you see in that policy.  
From: Albert Braden <ozzzo at yahoo.com>
Sent: 22 February 2023 17:12
To: Openstack-discuss <openstack-discuss at lists.openstack.org>
Subject: [kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API CAUTION: This email originates from outside THG

According to this document [1] multiattach volumes can only be setup if explicitly allowed by creating a “multiattach” volume type.

“Starting from the Queens release the ability to attach a volume to multiple hosts/servers requires that the volume is of a special type that includes an extra-spec capability setting of multiattach=<is> True… Creating a new volume type is an admin-only operation by default.

One of our customers appears to have used TerraForm to create a volume with the multiattach flag set and it worked, and that volume has multiple attachments. When I look here [2] it appears that the default is:

#"volume:multiattach": "rule:xena_system_admin_or_project_member"

So it looks like, by default, any project member can create a multiattach volume. What am I missing?

[1]: https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html
[2]: https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file

|   |
| Danny Webb |
| Principal OpenStack Engineer |
| Danny.Webb at thehutgroup.com |
|  |
|  |
| www.thg.com |
|   |

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230222/3254256f/attachment.htm>

More information about the openstack-discuss mailing list