Cinder

User with Reader role can extend/reserve/retype/unreserve/update_readonly volume

Bug #2020261 reported by Evelina Shames on 2023-05-21

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Low	Brian Rosmaita

Bug Description

A user with a reader role can extend, reserve, retype, unreserve, update_readonly a volume while these operations should be forbidden for a reader role.

extend:
2023-05-19 15:28:24,029 90285 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_extend_volume): 202 POST https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/1d57d984-3c2d-464d-bdd9-a0fa27baf523/action 0.170s
2023-05-19 15:28:24,029 90285 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-extend": {"new_size": 2}}
    Response - Headers: {'date': 'Fri, 19 May 2023 15:28:23 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-1ff74c45-c63a-433b-a9a5-f1e37e567fdc', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-1ff74c45-c63a-433b-a9a5-f1e37e567fdc', 'connection': 'close', 'status': '202', 'content-location': 'https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/1d57d984-3c2d-464d-bdd9-a0fa27baf523/action'}
        Body: b''

reserve:
2023-05-19 15:28:28,859 90285 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_reserve_volume): 202 POST https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/0740cbe7-17c9-455f-a4b2-728c9d8c1ba9/action 0.034s
2023-05-19 15:28:28,859 90285 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-reserve": {}}
    Response - Headers: {'date': 'Fri, 19 May 2023 15:28:28 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-5e428ea6-a6b0-456c-9ec1-4472537bce71', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-5e428ea6-a6b0-456c-9ec1-4472537bce71', 'connection': 'close', 'status': '202', 'content-location': 'https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/0740cbe7-17c9-455f-a4b2-728c9d8c1ba9/action'}
        Body: b''

unreserve:
2023-05-19 15:28:37,449 90285 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_unreserve_volume): 202 POST https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/e064d6cb-a92c-4f07-97b1-d781f8353be1/action 0.027s
2023-05-19 15:28:37,449 90285 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-unreserve": {}}
    Response - Headers: {'date': 'Fri, 19 May 2023 15:28:37 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-585d933c-eaa6-44bb-bf94-9f82d6f674fe', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-585d933c-eaa6-44bb-bf94-9f82d6f674fe', 'connection': 'close', 'status': '202', 'content-location': 'https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/e064d6cb-a92c-4f07-97b1-d781f8353be1/action'}
        Body: b''

update_readonly:
2023-05-19 15:28:40,983 90285 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_update_volume_readonly): 202 POST https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/7af6233a-95a7-4c62-a043-9403b622c752/action 0.087s
2023-05-19 15:28:40,984 90285 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-update_readonly_flag": {"readonly": true}}
    Response - Headers: {'date': 'Fri, 19 May 2023 15:28:40 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-76b0ff42-acd1-4f55-979f-d1a10a78a58e', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-76b0ff42-acd1-4f55-979f-d1a10a78a58e', 'connection': 'close', 'status': '202', 'content-location': 'https://173.231.255.168/volume/v3/69772943f27d4a20b2b7cb007e2197bf/volumes/7af6233a-95a7-4c62-a043-9403b622c752/action'}
        Body: b''

These issues were found while adding Volume Actions tests for srbac:
https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/883182

Tags:

Sofia Enriquez (lsofia-enriquez) on 2023-05-25

Changed in cinder:
importance:	Undecided → Low
tags:	added: rbac

Revision history for this message

Yosi Ben Shimon (ybenshim) wrote on 2023-07-27:

Download full text (7.0 KiB)

The same issue happens for:
- attach_volume
- detach_volume
- remove_image_metadata
- set_bootable_volume
- set_image_metadata
- terminate_volume_attachment

tests for "reader" role.

attach_volume:
2023-07-26 07:21:22,293 91796 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_attach_volume): 202 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/f227cc6e-bb47-4626-a1da-116cd4ff169e/action 0.273s
2023-07-26 07:21:22,293 91796 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-attach": {"instance_uuid": "1c79a19c-cb1b-4956-bd88-533f3ce29555", "mountpoint": "/dev/vdb"}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:22 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-41b8bdec-9d6e-4d17-96b2-1400df8ababe', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-41b8bdec-9d6e-4d17-96b2-1400df8ababe', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/f227cc6e-bb47-4626-a1da-116cd4ff169e/action'}
        Body: b''

detach_volume:
2023-07-26 07:21:32,118 91796 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_detach_volume): 202 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/396107fc-32ba-4a31-981c-3e91c7547117/action 0.100s
2023-07-26 07:21:32,118 91796 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-detach": {}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:32 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-161783a1-806b-4e14-900c-eea643160b3c', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-161783a1-806b-4e14-900c-eea643160b3c', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/396107fc-32ba-4a31-981c-3e91c7547117/action'}
        Body: b''

remove_image_metadata:
2023-07-26 07:21:51,752 91796 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_remove_image_metadata): 200 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/1c1824f2-3151-4c8f-948e-8b74cf345a27/action 0.073s
2023-07-26 07:21:51,752 91796 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
Body: {"os-unset_image_metadata": {"key": "test_item_key_2"}}
Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:51 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version,Accept-Encoding', 'x-openstack-reque...

The same issue happens for:
- attach_volume
- detach_volume
- remove_image_metadata
- set_bootable_volume
- set_image_metadata
- terminate_volume_attachment

tests for "reader" role.

attach_volume:
2023-07-26 07:21:22,293 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_attach_volume): 202 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/f227cc6e-bb47-4626-a1da-116cd4ff169e/action 0.273s
2023-07-26 07:21:22,293 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-attach": {"instance_uuid": "1c79a19c-cb1b-4956-bd88-533f3ce29555", "mountpoint": "/dev/vdb"}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:22 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-41b8bdec-9d6e-4d17-96b2-1400df8ababe', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-41b8bdec-9d6e-4d17-96b2-1400df8ababe', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/f227cc6e-bb47-4626-a1da-116cd4ff169e/action'}
        Body: b''

detach_volume:
2023-07-26 07:21:32,118 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_detach_volume): 202 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/396107fc-32ba-4a31-981c-3e91c7547117/action 0.100s
2023-07-26 07:21:32,118 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-detach": {}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:32 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-161783a1-806b-4e14-900c-eea643160b3c', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-161783a1-806b-4e14-900c-eea643160b3c', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/396107fc-32ba-4a31-981c-3e91c7547117/action'}
        Body: b''

remove_image_metadata:
2023-07-26 07:21:51,752 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_remove_image_metadata): 200 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/1c1824f2-3151-4c8f-948e-8b74cf345a27/action 0.073s
2023-07-26 07:21:51,752 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-unset_image_metadata": {"key": "test_item_key_2"}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:51 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version,Accept-Encoding', 'x-openstack-request-id': 'req-f7f4c31d-fc3c-4c91-aeb2-6098a46eb233', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/1c1824f2-3151-4c8f-948e-8b74cf345a27/action'}
        Body: b''

set_bootable_volume:
2023-07-26 07:21:59,081 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_set_bootable_volume): 200 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/8a6f1c29-c932-4fec-b6ae-1fbeec6b33fd/action 0.050s
2023-07-26 07:21:59,082 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-set_bootable": {"bootable": true}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:21:59 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-b636333f-959d-469c-90d5-f77e8ec2425e', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-b636333f-959d-469c-90d5-f77e8ec2425e', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/8a6f1c29-c932-4fec-b6ae-1fbeec6b33fd/action'}
        Body: b''

set_image_metadata:
2023-07-26 07:22:02,754 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_set_image_metadata): 200 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/347c9523-b121-44c1-895d-2ada4f4bc8b5/action 0.064s
2023-07-26 07:22:02,754 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-set_image_metadata": {"metadata": {"image_id": "5137a025-3c5f-43c1-bc64-5f41270040a5", "image_name": "image", "kernel_id": "6ff710d2-942b-4d6b-9168-8c9cc2404ab1", "ramdisk_id": "somedisk"}}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:22:02 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-60ad884a-30c8-4271-adfc-61661f66fe88', 'content-length': '168', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-60ad884a-30c8-4271-adfc-61661f66fe88', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/347c9523-b121-44c1-895d-2ada4f4bc8b5/action'}
        Body: b'{"metadata": {"image_id": "5137a025-3c5f-43c1-bc64-5f41270040a5", "image_name": "image", "kernel_id": "6ff710d2-942b-4d6b-9168-8c9cc2404ab1", "ramdisk_id": "somedisk"}}'

terminate_volume_connection:
2023-07-26 07:22:18,504 91796 INFO     [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_terminate_volume_attachment): 202 POST https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/b9138b09-e76d-44c6-a94f-4993081c566b/action 0.087s
2023-07-26 07:22:18,504 91796 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-terminate_connection": {"connector": {}}}
    Response - Headers: {'date': 'Wed, 26 Jul 2023 07:22:18 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-1505ae4a-c021-48d5-9ecd-8c51e840aa21', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-1505ae4a-c021-48d5-9ecd-8c51e840aa21', 'connection': 'close', 'status': '202', 'content-location': 'https://10.209.128.25/volume/v3/58abb29ef9fd4c26a93f0caf6d20ebdf/volumes/b9138b09-e76d-44c6-a94f-4993081c566b/action'}
        Body: b''

Found while adding tests here:
https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/889379

Brian Rosmaita (brian-rosmaita) on 2024-02-01

Changed in cinder:
assignee:	nobody → Brian Rosmaita (brian-rosmaita)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.