Cinder

Cinder volumes are stuck when non admin user executes nova swap volume API

Bug #1522705 reported by Takashi Natsume on 2015-12-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Invalid	Undecided	Takashi Natsume
	OpenStack Compute (nova)	Fix Released	Medium	Matt Riedemann

Bug Description

Cinder volumes are stuck in attaching/detaching state when non admin user executes nova swap volume API.
Because cinder 'migrate_volume_completion' API can be executed by admin only in default settings of cinder policy.json.
So the default settings of cinder policy.json should be fixed.

[cinder-api.log]
2015-12-04 15:41:51.986 INFO cinder.api.openstack.wsgi [req-44d81e36-299f-4e14-9419-996a2239b1ca 181cd8bc1c004030aec893fc7de79618 722380ff5288483191cd2712cbc99c5d] POST http://10.0.2.15:8776/v2/722380ff5288483191cd2712cbc99c5d/volumes/999a256e-aadf-41b6-88f3-1412e3462cbe/action
2015-12-04 15:41:51.986 DEBUG cinder.api.openstack.wsgi [req-44d81e36-299f-4e14-9419-996a2239b1ca 181cd8bc1c004030aec893fc7de79618 722380ff5288483191cd2712cbc99c5d] Action body: {"os-migrate_volume_completion": {"new_volume": "1c768de0-949f-485f-b914-c430752e2984", "error": false}} from (pid=18203) get_method /opt/stack/cinder/cinder/api/openstack/wsgi.py:1093
2015-12-04 15:41:51.987 INFO cinder.api.openstack.wsgi [req-44d81e36-299f-4e14-9419-996a2239b1ca 181cd8bc1c004030aec893fc7de79618 722380ff5288483191cd2712cbc99c5d] http://10.0.2.15:8776/v2/722380ff5288483191cd2712cbc99c5d/volumes/999a256e-aadf-41b6-88f3-1412e3462cbe/action returned with HTTP 403
2015-12-04 15:41:51.989 INFO eventlet.wsgi.server [req-44d81e36-299f-4e14-9419-996a2239b1ca 181cd8bc1c004030aec893fc7de79618 722380ff5288483191cd2712cbc99c5d] 10.0.2.15 - - [04/Dec/2015 15:41:51] "POST /v2/722380ff5288483191cd2712cbc99c5d/volumes/999a256e-aadf-41b6-88f3-1412e3462cbe/action HTTP/1.1" 403 429 0.005410

[policy.json(cinder)]
The follwong line defines that 'migrate_volume_completion' can be executed by admin only.

"volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api",

[Environment]
nova: commit 7df427fdb4d7a314b79b1e3977aeb86f019b5186(master)
cinder: commit 707902ca482d1653072c2cf419c566cd5fee1f96(master)
OS: Ubuntu 14.04

stack@devstack-master:/opt/devstack$ keystone user-role-list --user demo --tenant demo
+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| dec5e6b197d6424bbfb3854f6718cef0 | Member | 181cd8bc1c004030aec893fc7de79618 | 722380ff5288483191cd2712cbc99c5d |
| de75e50dec2e48b4a4c66feef8f53432 | anotherrole | 181cd8bc1c004030aec893fc7de79618 | 722380ff5288483191cd2712cbc99c5d |
+----------------------------------+-------------+----------------------------------+----------------------------------+

Tags:

Takashi Natsume (natsume-takashi) on 2015-12-04

Changed in cinder:
assignee:	nobody → Takashi NATSUME (natsume-takashi)
Changed in nova:
assignee:	nobody → Takashi NATSUME (natsume-takashi)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/253363

Changed in cinder:
status:	New → In Progress

Fahri Cihan Demirci (cihand) on 2016-01-07

tags:

added: volumes

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-03-04:

Is there anything to do in Nova?

Changed in nova:
status:	New → Incomplete

Revision history for this message

Matt Riedemann (mriedem) wrote on 2016-03-31:

ML thread on this issue:

http://lists.openstack.org/pipermail/openstack-dev/2016-March/090957.html

Matt Riedemann (mriedem) on 2016-03-31

Changed in nova:
assignee:	Takashi NATSUME (natsume-takashi) → Matt Riedemann (mriedem)
importance:	Undecided → High
status:	Incomplete → In Progress
importance:	High → Medium
Changed in cinder:
status:	In Progress → Invalid

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-31: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/299715

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-31: Change abandoned on cinder (master)

Change abandoned by Takashi NATSUME (<email address hidden>) on branch: master
Review: https://review.openstack.org/253363

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-11: Fix merged to nova (master)

Reviewed: https://review.openstack.org/299715
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f738483e843fc27379b85c5401859ccc854adc5e
Submitter: Jenkins
Branch: master

commit f738483e843fc27379b85c5401859ccc854adc5e
Author: Matt Riedemann <email address hidden>
Date: Wed Mar 30 22:07:47 2016 -0400

Make swap-volume an admin-only API by default

Cinder's volume migration API is, by default, an admin-only operation.
This includes the migrate_volume_completion API.

    When Cinder is doing a volume migration, it calls Nova's swap-volume
    API to detach the old volume that we're migrating from and attach
    the volume that we're migrating to. Then Nova calls Cinder's
    migrate_volume_completion API to signal Nova is done and Cinder
    can finish the volume migration.

    The problem is that swap-volume is not an admin-only API in Nova
    per the default policy. So if a non-admin user tries to perform
    a swap-volume operation, it will fail with a 403 when calling
    Cinder's migrate_volume_completion API, since that requires an
    admin user.

    Also, because of 98739761f17b5e0b32abd8cd262f5beda030f886 we can't
    simply avoid calling migrate_volume_completion for non-migration
    cases because that API handles the actual detach/attach for the old
    and new volumes, swap-volume is broken without calling that.

    So given swap-volume relies on an admin-only Cinder API, and is called
    from an admin-only Cinder operation (volume migration), we should
    just make it default to admin-only also.

Change-Id: Iac03258735f3d856a474ab96fe9b0a087e32906f
Closes-Bug: #1522705

Changed in nova:
status:	In Progress → Fix Released

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-06-02: Fix included in openstack/nova 14.0.0.0b1

This issue was fixed in the openstack/nova 14.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-24: Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/596489

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-30: Related fix merged to nova (master)

Reviewed: https://review.openstack.org/596489
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=65d9d4ebc28912437a2d8e7824fd7eec15848862
Submitter: Zuul
Branch: master

commit 65d9d4ebc28912437a2d8e7824fd7eec15848862
Author: Matt Riedemann <email address hidden>
Date: Fri Aug 24 17:28:03 2018 -0400

api-ref: fix volume attachment update policy note

    Since change Iac03258735f3d856a474ab96fe9b0a087e32906f the
    PUT /servers/{server_id}/os-volume_attachments/{volume_id}
    (swap volume) API is admin-only by default. This fixes the
    documentation in the API reference.

Change-Id: I9e7fe40536cf5f03d97eb80fd4459b5a74e92f76
Related-Bug: #1522705

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.