After investigation in cinder, found one API that would have a potential security issue: reset volume's status, this is the process to reproduce.
1. assume create a volume in demon1 project with non-admin user: ``` +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2018-03-15T03:13:39.000000 | | description | None | | encrypted | False | | group_id | None | | id | 074c4b78-af13-4b7c-a8ef-29fa5604197f | | metadata | {} | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | None | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 | | provider_id | None | | replication_status | None | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2018-03-15T03:13:39.000000 | | user_id | 7bf2008b095d4961a9f4bc92a475c54e | | volume_type | lvmdriver-1 | ``` 2. swith into another project demo2 with non administrator which doesn't have any volumes: ``` +----+--------+------+------+-------------+----------+-------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +----+--------+------+------+-------------+----------+-------------+ +----+--------+------+------+-------------+----------+-------------+ ``` 3. try to reset the new created volume's status in this project, and this is the result: ``` { "os-reset_status": { "status": "errpr" } } RESPONSE: { "forbidden": { "message": "Policy doesn't allow volume_extension:volume_admin_actions:reset_status to be performed.", "code": 403 } } ``` 4. update the reset_status's policy rule into admin_or_owner [1] and restart the service 5. try to reset the status again, cinder updates the status successfully even I am not the owner of the volume, cinder list. ``` +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attached_servers | [] | | attachment_ids | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2018-03-15T03:13:39.000000 | | description | None | | encrypted | False | | group_id | None | | id | 074c4b78-af13-4b7c-a8ef-29fa5604197f | | metadata | | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | None | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 | | provider_id | None | | replication_status | None | | size | 1 | | snapshot_id | None | | source_volid | None | | status | error | | updated_at | 2018-03-15T03:25:15.000000 | | user_id | 7bf2008b095d4961a9f4bc92a475c54e | | volume_type | lvmdriver-1 | +--------------------------------+--------------------------------------+ ```
[1]: https://github.com/openstack/cinder/blob/baabd09f63bb5cb7b9ff8860ceab1efe1b6eab89/cinder/policies/volume_actions.py#L76
After investigation in cinder, found one API that would have a potential security issue: reset volume's status, this is the process to reproduce.
1. assume create a volume in demon1 project with non-admin user: ------- ------- ------- -----+- ------- ------- ------- ------- ------- --+ ------- ------- ------- -----+- ------- ------- ------- ------- ------- --+ 15T03:13: 39.000000 | af13-4b7c- a8ef-29fa560419 7f | host-attr: host | None | mig-status- attr:migstat | None | mig-status- attr:name_ id | None | tenant- attr:tenant_ id | 61feeebaad1d4e4 382c1c764f2033a 79 | 15T03:13: 39.000000 | 1a9f4bc92a475c5 4e | ------- +------ +------ +------ ------- +------ ----+-- ------- ----+ ------- +------ +------ +------ ------- +------ ----+-- ------- ----+ ------- +------ +------ +------ ------- +------ ----+-- ------- ----+ reset_status" : { extension: volume_ admin_actions: reset_status to be performed.", ------- ------- ------- -----+- ------- ------- ------- ------- ------- --+ ------- ------- ------- -----+- ------- ------- ------- ------- ------- --+ 15T03:13: 39.000000 | af13-4b7c- a8ef-29fa560419 7f | host-attr: host | None | mig-status- attr:migstat | None | mig-status- attr:name_ id | None | tenant- attr:tenant_ id | 61feeebaad1d4e4 382c1c764f2033a 79 | 15T03:25: 15.000000 | 1a9f4bc92a475c5 4e | ------- ------- ------- -----+- ------- ------- ------- ------- ------- --+
```
+------
| Property | Value |
+------
| attachments | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2018-03-
| description | None |
| encrypted | False |
| group_id | None |
| id | 074c4b78-
| metadata | {} |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-
| os-vol-
| os-vol-
| os-vol-
| provider_id | None |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | creating |
| updated_at | 2018-03-
| user_id | 7bf2008b095d496
| volume_type | lvmdriver-1 |
```
2. swith into another project demo2 with non administrator which doesn't have any volumes:
```
+----+-
| ID | Status | Name | Size | Volume Type | Bootable | Attached to |
+----+-
+----+-
```
3. try to reset the new created volume's status in this project, and this is the result:
```
{
"os-
"status": "errpr"
}
}
RESPONSE:
{
"forbidden": {
"message": "Policy doesn't allow volume_
"code": 403
}
}
```
4. update the reset_status's policy rule into admin_or_owner [1] and restart the service
5. try to reset the status again, cinder updates the status successfully even I am not the owner of the volume, cinder list.
```
+------
| Property | Value |
+------
| attached_servers | [] |
| attachment_ids | [] |
| availability_zone | nova |
| bootable | false |
| consistencygroup_id | None |
| created_at | 2018-03-
| description | None |
| encrypted | False |
| group_id | None |
| id | 074c4b78-
| metadata | |
| migration_status | None |
| multiattach | False |
| name | None |
| os-vol-
| os-vol-
| os-vol-
| os-vol-
| provider_id | None |
| replication_status | None |
| size | 1 |
| snapshot_id | None |
| source_volid | None |
| status | error |
| updated_at | 2018-03-
| user_id | 7bf2008b095d496
| volume_type | lvmdriver-1 |
+------
```
[1]: https:/ /github. com/openstack/ cinder/ blob/baabd09f63 bb5cb7b9ff8860c eab1efe1b6eab89 /cinder/ policies/ volume_ actions. py#L76