Cinder

[rbac] list, show and show_default volume type command response does not contain "os-volume-type-access:is_public" property when using reader user

Bug #2016402 reported by Yosi Ben Shimon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Confirmed
Low
Unassigned

Bug Description

When using a reader role, the response for "list", "show" and "show_default" volume type commands should contain the "os-volume-type-access:is_public" property.

Actual result:
The automation fails on response validation as the response instance ['volume_type'] is:
{
    'description': 'description',
    'extra_specs': {'key1': 'value1'},
    'id': 'a907b4c3-14c3-41ac-b11f-8a457dd539fa',
    'is_public': True,
    'name': 'tempest-volume-type-332456562'
}

Tags: rbac
Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

Could you supply some more information? For example, what tempest test are you seeing this with, does it work for a member and admin user, any relevant log output ... Thanks!

Changed in cinder:
status: New → Incomplete
Revision history for this message
Yosi Ben Shimon (ybenshim) wrote :
Download full text (4.2 KiB)

Sure.
I'm running show_volume_type() from types_client.py in tempest using reader user.
With member and admin users, it runs as expected ("os-volume-type-access:is_public" property exists in the response).

From tempest.log (reader):
2023-04-17 19:37:38.397 141061 INFO tempest.lib.common.rest_client [req-18ee11a1-fc7e-4c23-a055-af49b80b17e9 req-18ee11a1-fc7e-4c23-a055-af49b80b17e9 ] Request (VolumeTypesReaderTests:test_show_volume_type_detail): 200 GET http://10.0.0.103:8776/v3/ec4a5e859bf14108a332b2a5386b2318/types/aee8a147-951a-4281-ada7-221536cf350b 0.586s
2023-04-17 19:37:38.398 141061 DEBUG tempest.lib.common.rest_client [req-18ee11a1-fc7e-4c23-a055-af49b80b17e9 req-18ee11a1-fc7e-4c23-a055-af49b80b17e9 ] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Mon, 17 Apr 2023 19:37:37 GMT', 'server': 'Apache', 'content-length': '188', 'x-compute-request-id': 'req-18ee11a1-fc7e-4c23-a055-af49b80b17e9', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-18ee11a1-fc7e-4c23-a055-af49b80b17e9', 'content-type': 'application/json', 'connection': 'close', 'status': '200', 'content-location': 'http://10.0.0.103:8776/v3/ec4a5e859bf14108a332b2a5386b2318/types/aee8a147-951a-4281-ada7-221536cf350b'}
        Body: b'{"volume_type": {"id": "aee8a147-951a-4281-ada7-221536cf350b", "name": "tempest-volume-type-373286999", "is_public": true, "description": "description", "extra_specs": {"key1": "value1"}}}' _log_request_full /home/stack/venv/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py:464

From the terminal:
Failed validating 'required' in schema['properties']['volume_type']:
    {'additionalProperties': False,
     'properties': {'description': {'type': ['string', 'null']},
                    'extra_specs': {'patternProperties': {'^.+$': {'type': 'string'}},
                                    'type': 'object'},
                    'id': {'format': 'uuid', 'type': 'string'},
                    'is_public': {'type': 'boolean'},
                    'name': {'type': 'string'},
                    'os-volume-type-access:is_public': {'type': 'boolean'},
                    'qos_specs_id': {'format': 'uuid',
                                     'type': ['string', 'null']}},
     'required': ['name',
                  'is_public',
                  'description',
                  'id',
                  'os-volume-type-access:is_public'],
     'type': 'object'}

On instance['volume_type']:
    {'description': 'description',
     'extra_specs': {'key1': 'value1'},
     'id': 'aee8a147-951a-4281-ada7-221536cf350b',
     'is_public': True,
     'name': 'tempest-volume-type-373286999'}

From tempest.log (member):
2023-04-17 19:42:20.720 145311 INFO tempest.lib.common.rest_client [req-4de4bf72-0b65-4d87-a50f-d9f8b6a7dc5e req-4de4bf72-0b65-4d87-a50f-d9f8b6a7dc5e ] Request (VolumeTypesReaderTests:test_show_volume_type_detail): 200 GET http://10.0.0.103:8776/v3/67b858eef9d540229a9b745bb18f2315/types/3345e337-868a-416b-9509-b6bacdef667c 0.170s
2023-04-17 19:42:20.720 145311 DEBUG temp...

Read more...

Revision history for this message
Sofia Enriquez (lsofia-enriquez) wrote :

Tempest test: https://opendev.org/openstack/tempest/src/commit/3c7eebaaf35c9e8a3f00c76cd1741457bdec9fab/tempest/lib/services/volume/v3/types_client.py

I'm not sure if cinder has any job running this. I'll ask on the cinder meeting.

Changed in cinder:
status: Incomplete → Confirmed
importance: Undecided → Low
Revision history for this message
Yosi Ben Shimon (ybenshim) wrote :

Hitting the same issue when running "show_default_volume_type" using member and admin users.

Revision history for this message
Eric Harney (eharney) wrote :

Cause: 'os-volume-type-access:is_public' is only added if volume_access.TYPE_ACCESS_POLICY passes (see _extend_vol_type() in volume_type_access.py), which by default is SYSTEM_ADMIN_OR_PROJECT_MEMBER. So it looks like Cinder is currently not showing this field for reader users.

(Previously, this check used RULE_ADMIN_OR_OWNER.)

Since the "os-volume-type-access:is_public" field is only for old v2 API compatibility, we will lean toward not fixing this, since users who need this information can just use the current "is_public" field.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.