Cinder

[rbac] Reader user can create and update volume metadata as well as update and delete volume metadata-item

Bug #2038369 reported by Yosi Ben Shimon on 2023-10-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	New	Undecided	Unassigned

Bug Description

[rbac] Reader user can create and update volume metadata as well as update and delete volume metadata-item.
These requests should be forbidden for reader.

From the tempest logs:

***** create volume metadata:
2023-10-02 17:24:47,268 92646 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_create_volume_metadata): 200 POST https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/ea38fc7e-575a-4603-b90d-e484c9d4f374/metadata 0.169s
2023-10-02 17:24:47,268 92646 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
        Body: {"metadata": {"key3": "value3"}}
    Response - Headers: {'date': 'Mon, 02 Oct 2023 17:24:47 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-30616e74-4231-48cc-a8b6-d1b79e43988b', 'content-length': '68', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-30616e74-4231-48cc-a8b6-d1b79e43988b', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/ea38fc7e-575a-4603-b90d-e484c9d4f374/metadata'}
        Body: b'{"metadata": {"key3": "value3", "key1": "value1", "key2": "value2"}}'

***** delete volume metadata item:
2023-10-02 17:24:51,087 92646 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_volume_metadata_item): 200 DELETE https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/2a938eb0-0cf6-4487-8e8e-728a7c9f0047/metadata/key1 0.074s
2023-10-02 17:24:51,088 92646 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Mon, 02 Oct 2023 17:24:51 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version,Accept-Encoding', 'x-openstack-request-id': 'req-fb696db0-b29f-4f92-86f2-2c0d60b0484a', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/2a938eb0-0cf6-4487-8e8e-728a7c9f0047/metadata/key1'}
        Body: b''

***** update volume metadata:
2023-10-02 17:24:54,949 92646 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_update_volume_metadata): 200 PUT https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/4a5d3b9e-2926-487d-a2db-5a6edde8fc16/metadata 0.064s
2023-10-02 17:24:54,949 92646 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
        Body: {"metadata": {"key3": "value3"}}
    Response - Headers: {'date': 'Mon, 02 Oct 2023 17:24:54 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-309c3c51-73a2-4da5-99e5-4c9e86bd57f7', 'content-length': '32', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-309c3c51-73a2-4da5-99e5-4c9e86bd57f7', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/4a5d3b9e-2926-487d-a2db-5a6edde8fc16/metadata'}
        Body: b'{"metadata": {"key3": "value3"}}'

***** update volume metadata item:
2023-10-02 17:25:00,783 92646 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_update_volume_metadata_item): 200 PUT https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/7f139f5a-d798-4275-bb7a-ab5d62c3eb3e/metadata/key1 0.056s
2023-10-02 17:25:00,783 92646 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'Openstack-Api-Version': 'volume 3.12', 'X-Auth-Token': '<omitted>'}
        Body: {"meta": {"key1": "value1_updated"}}
    Response - Headers: {'date': 'Mon, 02 Oct 2023 17:25:00 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-79f20a50-a572-4167-89a3-54618fa8d79a', 'content-length': '36', 'openstack-api-version': 'volume 3.12', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-79f20a50-a572-4167-89a3-54618fa8d79a', 'connection': 'close', 'status': '200', 'content-location': 'https://10.209.98.161/volume/v3/03b49a9cfb9649b3970b591acb5784c0/volumes/7f139f5a-d798-4275-bb7a-ab5d62c3eb3e/metadata/key1'}
        Body: b'{"meta": {"key1": "value1_updated"}}'

Failures found in this job:
https://zuul.opendev.org/t/openstack/build/b10e920f99ca40cc89dc4638522a180c

Tags:

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.