force detach should be an admin api as force delete api

Hi Ling-yun, thanks for the report. I'm not sure I understand completely, but the force-detach call is for admins only with the authorize check https://github.com/openstack/cinder/blob/milestone-proposed/cinder/api/contrib/admin_actions.py#L139

Fix proposed to branch: master
Review: https://review.openstack.org/85931

To Mike Perez (thingee) :
By looking into policy.json, I haven't found the defintion rule about force detach, which will use the default rule---"default": [["rule:admin_or_owner"]].
Admins and owners can call the force detach api.

Force detach api should only be called admin, so I report this bug.

Hi Ling-yun that makes sense, thanks!

Just a thought, if owner was previous able to do this since Grizzily, is this a disruptive change? Nothing mentioned in the api guideline changes. Might be worth bringing up on list maybe?

Mike,

I think it depends on whether you see this as having been a security bug ... It was accidental that this was allowed ... versus this being a functional change.

In the case of a force delete, I believe that that is limited to the admin user because then it is likely that additional cleanup will be required after the force delete is done. I am less familiar with the force detach. Is there cleanup that may be required after a force detach? If so, then this seems like a security issue that should be changed to be consistent with force delete regardless of external usage. Otherwise, it would require additional discussion.

I skimmed through all drivers roughly and found non of drivers actually honor the 'force' flag in 'terminate_connection()' call for now. So technically calling a force_detach() is just like calling terminate_connection() and then detach(), which volume owners are allowed to do. That probably means there wasn't any cleanup for admin to do after calling force_detach().

I am for enforcing this API by requiring admin role, 'cos I don't think users actually use this API that much. But we should bringing this up in ML to gather more input from real production experience.

Reviewed: https://review.openstack.org/85931
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=3af76d3677641c6e32b7dc0ef71ec464fb336a8f
Submitter: Jenkins
Branch: master

commit 3af76d3677641c6e32b7dc0ef71ec464fb336a8f
Author: ling-yun <email address hidden>
Date: Tue Apr 8 13:03:14 2014 +0800

    Force detach should only be an admin api

    Since force delete volume apis are only admin apis, force detach volume api
    should also be an admin only api. Currently, the force detach api,
    which uses the default rule in policy.json, can be called by admins and owners.
    This patch make force detach volume api an admin only api like force
    delete volume.

    Closes-Bug: #1303882
    Change-Id: I12f927e816a5ba6809da9a27ac4ad150546286a1

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/88539