admin role required to attach a volume in Read Only mode

Bug #1704201 reported by Phil Hopkins
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Cinder
Triaged
Medium
Unassigned

Bug Description

After creating a cinder volume, setting the --read-only flag (either by cinder readonly-mode-update vol2 True or openstack volume set vol2 --read-only) only a user with the admin role can attach such a volume to an instance. If a user that has a _member_ role tries to attach the volume to an instance the command appears to run correctly but volume attach will eventually fail. Looking in the nova-compute log the error:

2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/cinderclient/client.py", line 155, in _cs_request
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server return self.request(url, method, **kwargs)
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server File "/usr/lib/python2.7/dist-packages/cinderclient/client.py", line 144, in request
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server raise exceptions.from_response(resp, body)
2017-07-13 18:18:15.127 20064 ERROR oslo_messaging.rpc.server InvalidInput: Invalid input received: Invalid attaching mode 'rw' for volume a4ffe9b3-a9ba-450a-8809-e874a74a79f9. (HTTP 400)
 (Request-ID: req-8fada1a9-8657-4881-b99b-254415894af3)

show several time as nova-compute attempts to attach the volume to the instance. If a user with the admin role attaches the same volume to an instance it succeeds.

I also notice that the only time the read only tag is followed is when it is set in the cinder table: volume_admin_metadata. If it is set in the volume_metadata table it is ignored.

Phil

Revision history for this message
Matt Riedemann (mriedem) wrote :

This would likely be resolved by this nova spec: https://review.openstack.org/#/c/552078/

Revision history for this message
Matt Riedemann (mriedem) wrote :

What version of cinder was this reported against?

Revision history for this message
Matt Riedemann (mriedem) wrote :

> I also notice that the only time the read only tag is followed is when it is set in the cinder table: volume_admin_metadata. If it is set in the volume_metadata table it is ignored.

That's because that is where the API code puts the metadata value:

https://github.com/openstack/cinder/blob/1d31f244c86e2610e19d5d4a2a868f81d52296f4/cinder/volume/api.py#L1608

Revision history for this message
Matt Riedemann (mriedem) wrote :
Changed in cinder:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Matt Riedemann (mriedem) wrote :

From an outside perspective (to cinder), it seems weird that this is stored as metadata on the volume, I'm not sure why this wouldn't just be an attribute directly on the volumes resource in the data model.

Revision history for this message
John Griffith (john-griffith) wrote :

At this point I would prefer we don't mess with the metadata method of setting mode any longer and instead move to using a field in the attachment-request. The mode setting described here is less than ideal for a number of reasons. Between the spec on the Nova side proposed by Matt and the WIP for the mode setting in Attach this should be resolved.

Any other fix that we could propose here wouldn't be something that you could back port or make work with an upgrade anyway.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.