OpenStack Compute (nova)

"nova volume-attach" should not allow attachment of cinder volume of other project to the instance of admin project

Bug #1683770 reported by Md Nadeem on 2017-04-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Won't Fix	Undecided	Unassigned

Bug Description

Description of problem:

The cinder volume created in other project is not visible under admin project. Similarly nova CLI should not allow to attach other project volume to the admin project instance. Horizon is not permit this kind of operation, however nova CLI allow to do so.

Further at the other project side, the volume status shows
"Attached to None on /dev/vdX" which is also a confusing status.

However "nova volume-attach" command

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create volume demo-vol1(Tenant).
2. Create VM admin-vm1(Admin).
3. Source admin credential
4. Use nova volume-attch command to attached the admin-vm1 to the demo-vol1.
5. Open horizon -> under Tenant -> volume.
See that the volume display attach to "None".

Actual results:

Expected results:

The Operation should not be allowed as demo-vol1 should not be visible under admin project.

Tags:

Revision history for this message

Bhagyashri Shewale (bhagyashri-shewale) wrote on 2017-06-01:

Hi all,

I have tried to reproduce this bug in my enviroment as per the steps mentioned in the bug,
but the volume Status shown as "in-use" and Attached To is shown as /dev/vdc on admin_int1

Steps that I have followed as below:

1. $ source ~/devstack/openrc admin demo

2. Create volume demo-vol1(Tenant).

$ cinder create 1 --name test

3. Create VM admin-vm1(Admin).

$ source ~/devstack/openrc admin admin

$ nova boot --flavor <flavor_id> --image <image_id> admin-vm1

4. Source admin credential

5. Use nova volume-attch command to attached the admin-vm1 to the demo-vol1.

$ nova volume_attach admin-vm1 demo-vol1

6. Open horizon -> under Tenant -> volume.

See that the volume display attach to /dev/vdc on admin_int1

Takashi Natsume (natsume-takashi) on 2017-06-05

tags:

added: volumes

Revision history for this message

Sean Dague (sdague) wrote on 2017-07-28:

If nova cli allows you to do that, it means the REST API allows you to do that. Permissions should not be done on the client side as they can be circumvented with curl.

This looks like it's a permissions issue on the server side where you'd like a different policy?

Changed in nova:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.