The Cinder API shows attached attachments with volume details, and it includes the attached_host information for the attachments, if present, regardless of whether or not an admin token is being used:
This means a non-admin can see compute host details when a volume is attached to their instance.
This is easily recreatable in devstack:
1. Show that I'm the demo user (can't perform admin things like service-list):
stack@queens:~/devstack$ nova service-list
ERROR (Forbidden): Policy doesn't allow os_compute_api:os-services to be performed. (HTTP 403) (Request-ID: req-9e4c01ef-6bf4-41af-9768-26936f137640)
2. Create a server and a volume and attach the volume to the server:
stack@queens:~/devstack$ nova volume-attach test-server1 373c2a29-f6e7-4931-adda-6b87a193e9f9
+----------+--------------------------------------+
| Property | Value |
+----------+--------------------------------------+
| device | /dev/vdb |
| id | 373c2a29-f6e7-4931-adda-6b87a193e9f9 |
| serverId | 43bc2379-86d5-49b2-a87c-5351e19ca69c |
| volumeId | 373c2a29-f6e7-4931-adda-6b87a193e9f9 |
+----------+--------------------------------------+
stack@queens:~/devstack$ openstack volume list
+--------------------------------------+------------------+--------+------+---------------------------------------+
| ID | Name | Status | Size | Attached to |
+--------------------------------------+------------------+--------+------+---------------------------------------+
| 373c2a29-f6e7-4931-adda-6b87a193e9f9 | test-vol1 | in-use | 1 | Attached to test-server1 on /dev/vdb |
3. Show the volume details to see the attachment and the attached_host:
stack@queens:~/devstack$ openstack volume show test-vol1
+------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| attachments | [{u'server_id': u'43bc2379-86d5-49b2-a87c-5351e19ca69c', u'attachment_id': u'95dbfdd8-a615-4c66-a32a-79dc0dfd344e', u'attached_at': u'2018-01-02T21:37:57.000000', u'host_name': u'queens', u'volume_id': u'373c2a29-f6e7-4931-adda-6b87a193e9f9', u'device': u'/dev/vdb', u'id': u'373c2a29-f6e7-4931-adda-6b87a193e9f9'}] |
You can see that the host_name is in the response and the value is "queens" which is the compute hostname on this single-node install:
stack@queens:~/devstack$ sudo hostname
queens
This is using LVM by default with devstack. I tried the same thing against vexxhost and host_name came back as None, so it might be backend-specific (vexxhost is using Rbd).
This is the vexxhost output for the same scenario:
This is significant because the default compute API policy is to not show the compute host/node information for a server instance for non-admin users, but with this exposure in the Cinder API, non-admin users can get around that restriction (potentially - again, it seems to depend on volume backend) to see the compute host on which the volume is attached.
The Cinder API shows attached attachments with volume details, and it includes the attached_host information for the attachments, if present, regardless of whether or not an admin token is being used:
https:/ /github. com/openstack/ cinder/ blob/a95c9e5668 f6a7596e0198cca 2b6b7fef20ab3e9 /cinder/ api/v2/ views/volumes. py#L126
This means a non-admin can see compute host details when a volume is attached to their instance.
This is easily recreatable in devstack:
1. Show that I'm the demo user (can't perform admin things like service-list):
stack@queens: ~/devstack$ nova service-list api:os- services to be performed. (HTTP 403) (Request-ID: req-9e4c01ef- 6bf4-41af- 9768-26936f1376 40)
ERROR (Forbidden): Policy doesn't allow os_compute_
2. Create a server and a volume and attach the volume to the server:
stack@queens: ~/devstack$ nova volume-attach test-server1 373c2a29- f6e7-4931- adda-6b87a193e9 f9 ----+-- ------- ------- ------- ------- ------- -+ ----+-- ------- ------- ------- ------- ------- -+ f6e7-4931- adda-6b87a193e9 f9 | 86d5-49b2- a87c-5351e19ca6 9c | f6e7-4931- adda-6b87a193e9 f9 | ----+-- ------- ------- ------- ------- ------- -+ ~/devstack$ openstack volume list ------- ------- ------- ------- ----+-- ------- ------- --+---- ----+-- ----+-- ------- ------- ------- ------- ------- --+ ------- ------- ------- ------- ----+-- ------- ------- --+---- ----+-- ----+-- ------- ------- ------- ------- ------- --+ f6e7-4931- adda-6b87a193e9 f9 | test-vol1 | in-use | 1 | Attached to test-server1 on /dev/vdb |
+------
| Property | Value |
+------
| device | /dev/vdb |
| id | 373c2a29-
| serverId | 43bc2379-
| volumeId | 373c2a29-
+------
stack@queens:
+------
| ID | Name | Status | Size | Attached to |
+------
| 373c2a29-
3. Show the volume details to see the attachment and the attached_host:
stack@queens: ~/devstack$ openstack volume show test-vol1 ------- ------- ------- ---+--- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ ------- ------- ------- ---+--- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ 86d5-49b2- a87c-5351e19ca6 9c', u'attachment_id': u'95dbfdd8- a615-4c66- a32a-79dc0dfd34 4e', u'attached_at': u'2018- 01-02T21: 37:57.000000' , u'host_name': u'queens', u'volume_id': u'373c2a29- f6e7-4931- adda-6b87a193e9 f9', u'device': u'/dev/vdb', u'id': u'373c2a29- f6e7-4931- adda-6b87a193e9 f9'}] |
+------
| Field | Value |
+------
| attachments | [{u'server_id': u'43bc2379-
You can see that the host_name is in the response and the value is "queens" which is the compute hostname on this single-node install:
stack@queens: ~/devstack$ sudo hostname
queens
This is using LVM by default with devstack. I tried the same thing against vexxhost and host_name came back as None, so it might be backend-specific (vexxhost is using Rbd).
This is the vexxhost output for the same scenario:
(vexxhost) user@ubuntu:~$ openstack volume show test-vol1 ------- ------- ------- ---+--- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -+ ------- ------- ------- ---+--- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -+ 1701-4adc- 9980-c2553203d1 f8', u'attachment_id': u'3e14b74b- 7ee3-4fd8- 9b8d-7a86be17cf f9', u'attached_at': u'2018- 01-02T21: 48:32.000000' , u'host_name': None, u'volume_id': u'588f0fdf- 1531-44e7- 8d92-16d4150c36 34', u'device': u'/dev/vdb', u'id': u'588f0fdf- 1531-44e7- 8d92-16d4150c36 34'}] |
+------
| Field | Value |
+------
| attachments | [{u'server_id': u'd1643bfb-
--
This has been around since Havana: https:/ /review. openstack. org/#/c/ 34125/
This is significant because the default compute API policy is to not show the compute host/node information for a server instance for non-admin users, but with this exposure in the Cinder API, non-admin users can get around that restriction (potentially - again, it seems to depend on volume backend) to see the compute host on which the volume is attached.