<div>                We didn't create a multi-attach volume type, and when we try to create a multi-attach volume via CLI we aren't able to. It appears that our customer was able to circumvent the restriction by using the API via TF. Is this a bug?<br>            </div>            <div class="yahoo_quoted" style="margin:10px 0px 0px 0.8ex;border-left:1px solid #ccc;padding-left:1ex;">                        <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">                                <div>                    On Wednesday, February 22, 2023, 02:32:57 PM EST, Danny Webb <danny.webb@thehutgroup.com> wrote:                </div>                <div><br></div>                <div><br></div>                <div><div id="yiv9135123901"> <style type="text/css">#yiv9135123901 P {margin-top:0;margin-bottom:0;}</style><div dir="ltr"><div style="font-family:Calibri, Arial, Helvetica, sans-serif;font-size:12pt;color:rgb(0, 0, 0);background-color:rgb(255, 255, 255);" class="yiv9135123901elementToProof"><span style="font-family:Calibri, Arial, Helvetica, sans-serif;font-size:12pt;">Creating a volume is not the same as creating a volume type.  A tenant can consume a volume type that allows multi-attach with no issue as you see in that policy.  </span><br></div><div id="yiv9135123901appendonsend"></div><hr style="display:inline-block;width:98%;" tabindex="-1"><div id="yiv9135123901divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt;" color="#000000"><b>From:</b> Albert Braden <ozzzo@yahoo.com><br><b>Sent:</b> 22 February 2023 17:12<br><b>To:</b> Openstack-discuss <openstack-discuss@lists.openstack.org><br><b>Subject:</b> [kolla] [train] [cinder] Volume multiattach exposed to non-admin users via API</font><div> </div></div><div>CAUTION: This email originates from outside THG<br><br>According to this document [1] multiattach volumes can only be setup if explicitly allowed by creating a “multiattach” volume type.<br><br>“Starting from the Queens release the ability to attach a volume to multiple hosts/servers requires that the volume is of a special type that includes an extra-spec capability setting of multiattach=<is> True… Creating a new volume type is an admin-only operation by default.<br><br>One of our customers appears to have used TerraForm to create a volume with the multiattach flag set and it worked, and that volume has multiple attachments. When I look here [2] it appears that the default is:<br><br>#"volume:multiattach": "rule:xena_system_admin_or_project_member"<br><br>So it looks like, by default, any project member can create a multiattach volume. What am I missing?<br><br>[1]: <a href="https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html" target="_blank" rel="noreferrer noopener">https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html</a><br>[2]: <a href="https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file" target="_blank" rel="noreferrer noopener">https://docs.openstack.org/cinder/latest/configuration/block-storage/samples/policy.yaml.html#policy-file</a><br></div><table style="font-family:'helvetica';font-size:10pt;width:100%;min-height:218.234375px;"><tbody><tr style="min-height:19.625px;"><td style="width:99.1264%;min-height:19.625px;"> </td></tr><tr style="min-height:41.296875px;"><td style="width:99.1264%;min-height:41.296875px;"><span style="font-family:helvetica, arial, sans-serif;font-size:11pt;"><strong>Danny Webb</strong></span></td></tr><tr style="min-height:19.625px;"><td style="width:99.1264%;min-height:19.625px;"><span style="font-family:helvetica, arial, sans-serif;">Principal OpenStack Engineer</span></td></tr><tr style="min-height:19.625px;"><td style="width:99.1264%;min-height:19.625px;"><span style="font-family:helvetica, arial, sans-serif;">Danny.Webb@thehutgroup.com</span></td></tr><tr style="min-height:19.625px;"><td style="width:99.1264%;min-height:19.625px;"><span style="font-family:helvetica, arial, sans-serif;"></span></td></tr><tr style="min-height:36.21875px;"><td style="width:99.1264%;min-height:36.21875px;"><img src="https://dl8hes3yo0qpy.cloudfront.net/wp-content/uploads/2020/06/01092449/thg-ingenuity-logo-3.svg" alt="THG Ingenuity Logo" width="227" height="27"></td></tr><tr style="min-height:19.625px;font-size:11pt;"><td style="width:99.1264%;min-height:19.625px;"><span style="font-family:helvetica, arial, sans-serif;"><a title="THG Website" href="https://www.thg.com" target="_blank" rel="noreferrer noopener">www.thg.com</a></span></td></tr><tr style="min-height:42.59375px;"><td style="min-height:42.59375px;"><a href="https://www.linkedin.com/company/thg-ingenuity/?originalSubdomain=uk" target="_blank" rel="noreferrer noopener"><img src="https://i.imgur.com/wbpVRW6.png" alt="" width="25" height="25"></a> <a href="https://twitter.com/thgingenuity?lang=en" target="_blank" rel="noreferrer noopener"><img src="https://i.imgur.com/c3040tr.png" alt="" width="25" height="25"></a></td></tr></tbody></table></div></div></div>            </div>                </div>