Create x Update Volume Metadata in Cinder Backend

Bug #1929606 reported by Rogerio Oliveira Ferraz
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
In Progress
Wishlist
Unassigned

Bug Description

Brief Description

For an user, namely "user12", who is allowed to CREATE, but not UPDATE volume metadata, as per defined in RBAC policy, the user attempt to modify existing volume metadata should fail. However, the user can modify volume metadata using either Cinder CLI or Horizon GUI, and the system does not stop it. From a hardness perspective, the Cinder backend should prevent it, in order to avoid the risk of policy violation, intentional or unintentional, by misuse of the Cinder API.

Steps to Reproduce

In Horizon GUI (it fails on step 6):

1. Login as user12. Go to Project > Volumes > Volumes;
2. Ensure the ""+ New Volume"" button appears;
3. Create a new volume called volume12;
4. Make sure you can view volume12 on the list of volume and that you can see it's details by clicking on it;
5. On the "Actions" dropdown menu, click on the down arrow for volume12 and choose Update Metadata. Add a custom metadata to the volume, save;
6. Make sure you are unable to update the metadata you created or delete it

In Cinder CLI (it fails on step 3):

$ openstack volume create --image <source-image> volume12 # 1. Create volume12
$ cinder metadata volume12 set x=1 # 2. Create new volume metadata
$ cinder metadata volume12 set x=2 # 3. Update volume metadata: command should fail

Expected Behavior

After taking the steps written above, it is expected that "user12" can not update the volume metadata he/she created.

Actual Behavior

The actual behavior is that "user12" can update the volume metadata he/she created.

Reproducibility

The issue is 100% reproducible.

Solution

The following solution can be implemented by means of a patch.

In design base, both clients for Cinder CLI and Horizon GUI interface use the CREATE method from Cinder API to create and/or update volume metadata. Upon reception of the CREATE method, with a single or multiple volume metadata, Cinder shall verify whether ALL the received volume metadata is new, or whether SOME volume metadata is existing. If all volume metadata is new, Cinder shall proceed as for the handling of the CREATE method (use_create=True). Otherwise, Cinder shall proceed as for the handling of the UPDATE method (use_create=False).

https://github.com/openstack/cinder/blob/master/cinder/api/v2/volume_metadata.py

<email address hidden>(metadata.create)
52...def create(self, req, volume_id, body):
53.....context = req.environ['cinder.context']
54.....metadata = body['metadata']
55.
55.1...old_metadata = self.volume_api.get_volume_metadata(
55.2.......context, volume_id)
55.3...created_metadata = {k: v for k, v in metadata.items()
55.4.......if k not in old_metadata}
55.5...chalenge_metadata = {k: v for k, v in metadata.items()
55.6.......if k not in created_metadata}
55.7...updated_metadata = {k: v for k, v in chalenge_metadata.items()
55.8.......if chalenge_metadata[k] != old_metadata[k]}
55.9
55.10..if updated_metadata:
55.11....new_metadata = self._update_volume_metadata(
55.12........context, volume_id,
55.13........updated_metadata, delete=False,
55.14........use_create=False)
55.15..else:
56.......new_metadata = self._update_volume_metadata(context, volume_id,
57.DEL.......metadata, delete=False,
57.1.........created_metadata, delete=False,
58...........use_create=True)
59.....return {'metadata': new_metadata}

Tags: metadata rbac
Revision history for this message
Rogerio Oliveira Ferraz (rferrazwrs) wrote :

Refer to Bug Description

description: updated
description: updated
description: updated
summary: - RBAC Policy for Create and Update Volume Metadata
+ Create x Update Volume Metadata in Cinder Backend
description: updated
description: updated
description: updated
description: updated
tags: added: metadata
Changed in cinder:
importance: Undecided → Medium
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

This is actually a feature request. The "Create metadata for volume" operation in cinder is defined as: "Creates or replaces metadata for a volume. Does not modify items that are not in the request", so it is working as designed.

https://docs.openstack.org/api-ref/block-storage/v3/?expanded=create-metadata-for-volume-detail#create-metadata-for-volume

Changed in cinder:
importance: Medium → Wishlist
status: New → Triaged
Revision history for this message
Rogerio Oliveira Ferraz (rferrazwrs) wrote :

Handling separate create and update actions, due to different RBAC policies is not new in Cinder.

https://bugs.launchpad.net/cinder/+bug/1472042
https://github.com/openstack/cinder/commit/9771c2cd4e32979358f8647e57b4bab355221c0d

The code, as already implemented, was supposed to allow different RBAC polices work correctly for the actions of create and update volume metadata. So this is not a new feature request. It is a request to correct an existing feature.

Revision history for this message
Rogerio Oliveira Ferraz (rferrazwrs) wrote :

It is a good point that the same interface is used to creates or replaces metadata for a volume, because the clients do not need to know if the metadata in the request is new data, or modified data, but the Cinder backend needs to differentiate those cases, for the correct handling of the corresponding RBAC policies, which are already implemented in the Cinder Backend.

description: updated
description: updated
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/817642

Changed in cinder:
status: Triaged → In Progress
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.