© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
The Cinder API shows attached attachments with volume details, and it includes the attached_host information for the attachments, if present, regardless of whether or not an admin token is being used:
https:/
This means a non-admin can see compute host details when a volume is attached to their instance.
This is easily recreatable in devstack:
1. Show that I'm the demo user (can't perform admin things like service-list):
stack@queens:
ERROR (Forbidden): Policy doesn't allow os_compute_
2. Create a server and a volume and attach the volume to the server:
stack@queens:
+------
| Property | Value |
+------
| device | /dev/vdb |
| id | 373c2a29-
| serverId | 43bc2379-
| volumeId | 373c2a29-
+------
stack@queens:
+------
| ID | Name | Status | Size | Attached to |
+------
| 373c2a29-
3. Show the volume details to see the attachment and the attached_host:
stack@queens:
+------
| Field | Value |
+------
| attachments | [{u'server_id': u'43bc2379-
You can see that the host_name is in the response and the value is "queens" which is the compute hostname on this single-node install:
stack@queens:
queens
This is using LVM by default with devstack. I tried the same thing against vexxhost and host_name came back as None, so it might be backend-specific (vexxhost is using Rbd).
This is the vexxhost output for the same scenario:
(vexxhost) user@ubuntu:~$ openstack volume show test-vol1
+------
| Field | Value |
+------
| attachments | [{u'server_id': u'd1643bfb-
--
This has been around since Havana: https:/
This is significant because the default compute API policy is to not show the compute host/node information for a server instance for non-admin users, but with this exposure in the Cinder API, non-admin users can get around that restriction (potentially - again, it seems to depend on volume backend) to see the compute host on which the volume is attached.