After investigation in cinder, found one API that would have a potential security issue: reset volume's status, this is the process to reproduce. 1. assume create a volume in demon1 project with non-admin user: ``` +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attachments | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2018-03-15T03:13:39.000000 | | description | None | | encrypted | False | | group_id | None | | id | 074c4b78-af13-4b7c-a8ef-29fa5604197f | | metadata | {} | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | None | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 | | provider_id | None | | replication_status | None | | size | 1 | | snapshot_id | None | | source_volid | None | | status | creating | | updated_at | 2018-03-15T03:13:39.000000 | | user_id | 7bf2008b095d4961a9f4bc92a475c54e | | volume_type | lvmdriver-1 | ``` 2. swith into another project demo2 with non administrator which doesn't have any volumes: ``` +----+--------+------+------+-------------+----------+-------------+ | ID | Status | Name | Size | Volume Type | Bootable | Attached to | +----+--------+------+------+-------------+----------+-------------+ +----+--------+------+------+-------------+----------+-------------+ ``` 3. try to reset the new created volume's status in this project, and this is the result: ``` { "os-reset_status": { "status": "errpr" } } RESPONSE: { "forbidden": { "message": "Policy doesn't allow volume_extension:volume_admin_actions:reset_status to be performed.", "code": 403 } } ``` 4. update the reset_status's policy rule into admin_or_owner [1] and restart the service 5. try to reset the status again, cinder updates the status successfully even I am not the owner of the volume, cinder list. ``` +--------------------------------+--------------------------------------+ | Property | Value | +--------------------------------+--------------------------------------+ | attached_servers | [] | | attachment_ids | [] | | availability_zone | nova | | bootable | false | | consistencygroup_id | None | | created_at | 2018-03-15T03:13:39.000000 | | description | None | | encrypted | False | | group_id | None | | id | 074c4b78-af13-4b7c-a8ef-29fa5604197f | | metadata | | | migration_status | None | | multiattach | False | | name | None | | os-vol-host-attr:host | None | | os-vol-mig-status-attr:migstat | None | | os-vol-mig-status-attr:name_id | None | | os-vol-tenant-attr:tenant_id | 61feeebaad1d4e4382c1c764f2033a79 | | provider_id | None | | replication_status | None | | size | 1 | | snapshot_id | None | | source_volid | None | | status | error | | updated_at | 2018-03-15T03:25:15.000000 | | user_id | 7bf2008b095d4961a9f4bc92a475c54e | | volume_type | lvmdriver-1 | +--------------------------------+--------------------------------------+ ``` [1]: https://github.com/openstack/cinder/blob/baabd09f63bb5cb7b9ff8860ceab1efe1b6eab89/cinder/policies/volume_actions.py#L76