Cinder

Volume multiattach exposed to non-admin users via API

Bug #2008259 reported by Albert Braden
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
Medium
Rajat Dhasmana

Bug Description

We're running kolla train. Since queens, the creation of multiattach volumes by non-admin users has been prohibited in cinderclient and openstackclient, but customers can work around the restriction by using the API.

Reference:
https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html

Revision history for this message
Albert Braden (ozzzo) wrote (last edit ):

Expected behavior: API prohibits creation of multiattach volumes by non-admin users.

Observed behavior: non-admin users can provide "multiattach": "True" in the JSON body of a curl command to create a multiattach volume.

Details here: https://lists.openstack.org/pipermail/openstack-discuss/2023-February/032407.html

OpenStack Infra (hudson-openstack)
Changed in cinder:
status: New → In Progress
Revision history for this message
Sofia Enriquez (lsofia-enriquez) wrote :

Fix proposed to master https://review.opendev.org/c/openstack/cinder/+/874865

Changed in cinder:
importance: Undecided → Medium
assignee: nobody → Rajat Dhasmana (whoami-rajat)
tags: added: api multiattach
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/cinder/+/877755

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/874865
Committed: https://opendev.org/openstack/cinder/commit/32f1145b7ddf9a9a359e2359e7db63dbdd00b899
Submitter: "Zuul (22348)"
Branch: master

commit 32f1145b7ddf9a9a359e2359e7db63dbdd00b899
Author: whoami-rajat <email address hidden>
Date: Thu Feb 23 09:59:01 2023 +0000

    Remove multiatttach request parameter

    The initial cinder design[1][2][3] allowed users to create mutliattach
    volumes by spcifying the ``multiattach`` parameter in the request
    body of volume create operation (``--allow-multiattach`` option in
    cinderclient).

    This functionality changed in Queens with the introduction of
    microversion 3.50[4] where we used volume types to store
    the multiattach capabilities. Any volume created with a multiattach
    volume type will be a multiattach volume[5].

    While implementing the new functionality, we had to keep backward
    compatibility with the *old way* of creating multiattach volumes.
    We deprecated the ``multiattach`` (``--allow-multiattach`` on cinderclient
    side) parameter in the queens release[6][7].
    We also removed the support of the ``--allow-multiattach`` optional
    parameter from cinderclient in the train release[8] but the API
    side never removed the compatibility code to disallow functionality
    of creating multiattach volumes by using the ``multiattach``
    parameter (instead of a multiattach volume type).

    This patch removes the support of providing the ``multiattach``
    parameter in the request body of a volume create operation and will
    fail with a BadRequest exception stating the reason of failure
    and how it can be fixed.

    [1] https://blueprints.launchpad.net/cinder/+spec/multi-attach-volume
    [2] https://review.opendev.org/c/openstack/cinder/+/85847/
    [3] https://review.opendev.org/c/openstack/python-cinderclient/+/85856
    [4] https://github.com/openstack/cinder/commit/f1bfd9790d2a7cac9a3e66417b11dc8e3edd8109
    [5] https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html#how-to-create-a-multiattach-volume
    [6] https://github.com/openstack/cinder/commit/94dbf5cce2caff484460a1330feb6cbf7f3dd56a
    [7] https://github.com/openstack/python-cinderclient/commit/adb141a2626192e8f45a911291895716d7c1c8a4
    [8] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/875372
    Closes-Bug: 2008259

    Change-Id: I0ece6e279048abcc04b3674108290a80eca6bd62

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/877755
Committed: https://opendev.org/openstack/cinder/commit/e2c3bcc6e380921bbe283b4a1b173216193c753d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit e2c3bcc6e380921bbe283b4a1b173216193c753d
Author: whoami-rajat <email address hidden>
Date: Thu Feb 23 09:59:01 2023 +0000

    Remove multiatttach request parameter

    The initial cinder design[1][2][3] allowed users to create mutliattach
    volumes by spcifying the ``multiattach`` parameter in the request
    body of volume create operation (``--allow-multiattach`` option in
    cinderclient).

    This functionality changed in Queens with the introduction of
    microversion 3.50[4] where we used volume types to store
    the multiattach capabilities. Any volume created with a multiattach
    volume type will be a multiattach volume[5].

    While implementing the new functionality, we had to keep backward
    compatibility with the *old way* of creating multiattach volumes.
    We deprecated the ``multiattach`` (``--allow-multiattach`` on cinderclient
    side) parameter in the queens release[6][7].
    We also removed the support of the ``--allow-multiattach`` optional
    parameter from cinderclient in the train release[8] but the API
    side never removed the compatibility code to disallow functionality
    of creating multiattach volumes by using the ``multiattach``
    parameter (instead of a multiattach volume type).

    This patch removes the support of providing the ``multiattach``
    parameter in the request body of a volume create operation and will
    fail with a BadRequest exception stating the reason of failure
    and how it can be fixed.

    [1] https://blueprints.launchpad.net/cinder/+spec/multi-attach-volume
    [2] https://review.opendev.org/c/openstack/cinder/+/85847/
    [3] https://review.opendev.org/c/openstack/python-cinderclient/+/85856
    [4] https://github.com/openstack/cinder/commit/f1bfd9790d2a7cac9a3e66417b11dc8e3edd8109
    [5] https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html#how-to-create-a-multiattach-volume
    [6] https://github.com/openstack/cinder/commit/94dbf5cce2caff484460a1330feb6cbf7f3dd56a
    [7] https://github.com/openstack/python-cinderclient/commit/adb141a2626192e8f45a911291895716d7c1c8a4
    [8] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/875372
    Closes-Bug: 2008259

    Change-Id: I0ece6e279048abcc04b3674108290a80eca6bd62
    (cherry picked from commit 32f1145b7ddf9a9a359e2359e7db63dbdd00b899)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 22.0.0.0rc2

This issue was fixed in the openstack/cinder 22.0.0.0rc2 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/cinder/+/879695

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/879695
Committed: https://opendev.org/openstack/cinder/commit/a8a4cdcb2e099456d435028c924e51dcbdee33e9
Submitter: "Zuul (22348)"
Branch: stable/zed

commit a8a4cdcb2e099456d435028c924e51dcbdee33e9
Author: whoami-rajat <email address hidden>
Date: Thu Feb 23 09:59:01 2023 +0000

    Remove multiatttach request parameter

    The initial cinder design[1][2][3] allowed users to create mutliattach
    volumes by spcifying the ``multiattach`` parameter in the request
    body of volume create operation (``--allow-multiattach`` option in
    cinderclient).

    This functionality changed in Queens with the introduction of
    microversion 3.50[4] where we used volume types to store
    the multiattach capabilities. Any volume created with a multiattach
    volume type will be a multiattach volume[5].

    While implementing the new functionality, we had to keep backward
    compatibility with the *old way* of creating multiattach volumes.
    We deprecated the ``multiattach`` (``--allow-multiattach`` on cinderclient
    side) parameter in the queens release[6][7].
    We also removed the support of the ``--allow-multiattach`` optional
    parameter from cinderclient in the train release[8] but the API
    side never removed the compatibility code to disallow functionality
    of creating multiattach volumes by using the ``multiattach``
    parameter (instead of a multiattach volume type).

    This patch removes the support of providing the ``multiattach``
    parameter in the request body of a volume create operation and will
    fail with a BadRequest exception stating the reason of failure
    and how it can be fixed.

    [1] https://blueprints.launchpad.net/cinder/+spec/multi-attach-volume
    [2] https://review.opendev.org/c/openstack/cinder/+/85847/
    [3] https://review.opendev.org/c/openstack/python-cinderclient/+/85856
    [4] https://github.com/openstack/cinder/commit/f1bfd9790d2a7cac9a3e66417b11dc8e3edd8109
    [5] https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html#how-to-create-a-multiattach-volume
    [6] https://github.com/openstack/cinder/commit/94dbf5cce2caff484460a1330feb6cbf7f3dd56a
    [7] https://github.com/openstack/python-cinderclient/commit/adb141a2626192e8f45a911291895716d7c1c8a4
    [8] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/875372
    Closes-Bug: 2008259

    Change-Id: I0ece6e279048abcc04b3674108290a80eca6bd62
    (cherry picked from commit 32f1145b7ddf9a9a359e2359e7db63dbdd00b899)
    (cherry picked from commit e2c3bcc6e380921bbe283b4a1b173216193c753d)
    Conflicts: api-ref/source/v3/parameters.yaml

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/cinder/+/880179

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/880179
Committed: https://opendev.org/openstack/cinder/commit/d4535c77493a7b362091b962f42f2613dea65dbe
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit d4535c77493a7b362091b962f42f2613dea65dbe
Author: whoami-rajat <email address hidden>
Date: Thu Feb 23 09:59:01 2023 +0000

    Remove multiatttach request parameter

    The initial cinder design[1][2][3] allowed users to create mutliattach
    volumes by spcifying the ``multiattach`` parameter in the request
    body of volume create operation (``--allow-multiattach`` option in
    cinderclient).

    This functionality changed in Queens with the introduction of
    microversion 3.50[4] where we used volume types to store
    the multiattach capabilities. Any volume created with a multiattach
    volume type will be a multiattach volume[5].

    While implementing the new functionality, we had to keep backward
    compatibility with the *old way* of creating multiattach volumes.
    We deprecated the ``multiattach`` (``--allow-multiattach`` on cinderclient
    side) parameter in the queens release[6][7].
    We also removed the support of the ``--allow-multiattach`` optional
    parameter from cinderclient in the train release[8] but the API
    side never removed the compatibility code to disallow functionality
    of creating multiattach volumes by using the ``multiattach``
    parameter (instead of a multiattach volume type).

    This patch removes the support of providing the ``multiattach``
    parameter in the request body of a volume create operation and will
    fail with a BadRequest exception stating the reason of failure
    and how it can be fixed.

    [1] https://blueprints.launchpad.net/cinder/+spec/multi-attach-volume
    [2] https://review.opendev.org/c/openstack/cinder/+/85847/
    [3] https://review.opendev.org/c/openstack/python-cinderclient/+/85856
    [4] https://github.com/openstack/cinder/commit/f1bfd9790d2a7cac9a3e66417b11dc8e3edd8109
    [5] https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html#how-to-create-a-multiattach-volume
    [6] https://github.com/openstack/cinder/commit/94dbf5cce2caff484460a1330feb6cbf7f3dd56a
    [7] https://github.com/openstack/python-cinderclient/commit/adb141a2626192e8f45a911291895716d7c1c8a4
    [8] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/875372
    Closes-Bug: 2008259

    Change-Id: I0ece6e279048abcc04b3674108290a80eca6bd62
    (cherry picked from commit 32f1145b7ddf9a9a359e2359e7db63dbdd00b899)
    (cherry picked from commit e2c3bcc6e380921bbe283b4a1b173216193c753d)
    Conflicts: api-ref/source/v3/parameters.yaml
    (cherry picked from commit a8a4cdcb2e099456d435028c924e51dcbdee33e9)
    Conflicts: cinder/volume/flows/api/create_volume.py

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/cinder/+/880375

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/880375
Committed: https://opendev.org/openstack/cinder/commit/75d778244d298961da3ff73fc23058c0b6958f5c
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 75d778244d298961da3ff73fc23058c0b6958f5c
Author: whoami-rajat <email address hidden>
Date: Thu Feb 23 09:59:01 2023 +0000

    Remove multiatttach request parameter

    The initial cinder design[1][2][3] allowed users to create mutliattach
    volumes by spcifying the ``multiattach`` parameter in the request
    body of volume create operation (``--allow-multiattach`` option in
    cinderclient).

    This functionality changed in Queens with the introduction of
    microversion 3.50[4] where we used volume types to store
    the multiattach capabilities. Any volume created with a multiattach
    volume type will be a multiattach volume[5].

    While implementing the new functionality, we had to keep backward
    compatibility with the *old way* of creating multiattach volumes.
    We deprecated the ``multiattach`` (``--allow-multiattach`` on cinderclient
    side) parameter in the queens release[6][7].
    We also removed the support of the ``--allow-multiattach`` optional
    parameter from cinderclient in the train release[8] but the API
    side never removed the compatibility code to disallow functionality
    of creating multiattach volumes by using the ``multiattach``
    parameter (instead of a multiattach volume type).

    This patch removes the support of providing the ``multiattach``
    parameter in the request body of a volume create operation and will
    fail with a BadRequest exception stating the reason of failure
    and how it can be fixed.

    [1] https://blueprints.launchpad.net/cinder/+spec/multi-attach-volume
    [2] https://review.opendev.org/c/openstack/cinder/+/85847/
    [3] https://review.opendev.org/c/openstack/python-cinderclient/+/85856
    [4] https://github.com/openstack/cinder/commit/f1bfd9790d2a7cac9a3e66417b11dc8e3edd8109
    [5] https://docs.openstack.org/cinder/latest/admin/volume-multiattach.html#how-to-create-a-multiattach-volume
    [6] https://github.com/openstack/cinder/commit/94dbf5cce2caff484460a1330feb6cbf7f3dd56a
    [7] https://github.com/openstack/python-cinderclient/commit/adb141a2626192e8f45a911291895716d7c1c8a4
    [8] https://github.com/openstack/python-cinderclient/commit/3c1b417959689c85a2f54505057ca995fedca075

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/875372
    Closes-Bug: 2008259

    Change-Id: I0ece6e279048abcc04b3674108290a80eca6bd62
    (cherry picked from commit 32f1145b7ddf9a9a359e2359e7db63dbdd00b899)
    (cherry picked from commit e2c3bcc6e380921bbe283b4a1b173216193c753d)
    Conflicts: api-ref/source/v3/parameters.yaml
    (cherry picked from commit a8a4cdcb2e099456d435028c924e51dcbdee33e9)
    Conflicts: cinder/volume/flows/api/create_volume.py
    (cherry picked from commit d4535c77493a7b362091b962f42f2613dea65dbe)
    Conflicts: cinder/tests/unit/api/v2/test_volumes.py
            cinder/volume/api.py

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 19.3.0

This issue was fixed in the openstack/cinder 19.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 21.2.0

This issue was fixed in the openstack/cinder 21.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 20.2.0

This issue was fixed in the openstack/cinder 20.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 23.0.0.0rc1

This issue was fixed in the openstack/cinder 23.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.