Cinder

[rbac] Reader user able to delete attachment

Bug #2031506 reported by Yosi Ben Shimon on 2023-08-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned

Bug Description

Reader user able to delete attachment.
The expected response code is 403 (forbidden) but the actual response is 200.

From tempest logs:

2023-08-15 19:30:27,232 92236 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_attachment): 200 DELETE https://173.231.255.251/volume/v3/9200baeb49b6446cae8b5cc3167e64c2/attachments/7d840c27-9edd-4ed6-a989-9065aec3e2d6 0.594s
2023-08-15 19:30:27,233 92236 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.27', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Tue, 15 Aug 2023 19:30:26 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-2e3ef9e1-30ff-4a77-8c7f-30bd39cbd2de', 'content-length': '19', 'openstack-api-version': 'volume 3.27', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-2e3ef9e1-30ff-4a77-8c7f-30bd39cbd2de', 'connection': 'close', 'status': '200', 'content-location': 'https://173.231.255.251/volume/v3/9200baeb49b6446cae8b5cc3167e64c2/attachments/7d840c27-9edd-4ed6-a989-9065aec3e2d6'}
        Body: b'{"attachments": []}'

Tags:

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2023-08-16 (last edit on 2023-08-16):

I've seen similar bug reports but these lack quite fundamental information.

- What is the version of OpenStack(especially cinder) you are using ?
- Did you set [oslo_policy] enforce_new_defaults = True in cinder.conf ?
- Can you share cinder.conf and any customozed policies if you have created ones ?
- We may need tempest.conf to ensure that request is done by reader role user

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.