Bug 2184834

Summary: [17.1] Multiattach volumes should be created by volume type only
Product: Red Hat OpenStack Reporter: Brian Rosmaita <brian.rosmaita>
Component: openstack-cinderAssignee: Rajat Dhasmana <rdhasman>
Status: MODIFIED --- QA Contact: Yosi Ben Shimon <ybenshim>
Severity: medium Docs Contact: Ian Frangs <ifrangs>
Priority: high    
Version: 17.1 (Wallaby)CC: astillma, brian.rosmaita, eharney, eshames, ifrangs, jhardee, ltoscano, mkopec, pgrist, rdhasman, yrabl
Target Milestone: z1Keywords: Triaged
Target Release: 17.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-cinder-18.2.2-17.1.20230726051053.f6b44fc.el9osttrunk Doc Type: Known Issue
Doc Text:
The Block Storage API supports the creation of a Block Storage multi-attach volume by passing a parameter in the volume-create request, even though this method of creating multi-attach volume has been deprecated for removal because it is unsafe and can lead to data loss when creating a multi-attach volume on a back end that does not support multi-attach volumes. Workaround: create a multi-attach volume by using a multi-attach volume-type, which is the only method of creating multi-attach volumes provided by the `openstack` and `cinder` CLI.
 Story Points: ---
Clone Of: 2175217 Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2184840    
Bug Blocks: 2175217    

Description Brian Rosmaita 2023-04-05 21:55:23 UTC 
+++ This bug was initially created as a clone of Bug #2175217 +++

Description of problem:
The multiattach functionality is restricted to a multiattach volume type that must be created by an admin. A cinder API bug allows non-admin users to create multiattach volumes without the multiattach volume type which can corrupt their data

How reproducible:
Make a volume-create request directly to the Block Storage API v3 (don't use the cinderclient or openstackclient) and include '"multiattach": true' in the request body.

Expected results:
Request should be rejected with a HTTP 400 (Bad Request) response.

Actual results:
Volume creation succeeds and the volume-show response indicates that the volume can be multiattached.  User can accidentally corrupt data by creating a multiattach volume without the correct volume type.


Additional info:

https://bugs.launchpad.net/cinder/+bug/2008259
Comment 6 Brian Rosmaita 2023-07-18 13:03:04 UTC 
https://issues.redhat.com/browse/OSP-26512 is showing this as approved for z1 (though the exception flag hasn't been updated to exception+ on this BZ).
Comment 15 Rajat Dhasmana 2023-08-17 14:31:02 UTC 
Hi,

Following are the steps to test the "old" behavior that allowed creating volumes with "multiatach" parameter which is blocked now by the API.

1. Issue a keystone token

$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2023-08-17T15:22:54+0000                                                                                                                                                                |
| id         | <token ID>                                                                                                                                                                              |
| project_id | 94731cadb0604f95b227b6b28052155c                                                                                                                                                        |
| user_id    | 7c4037b7cf97412288c2d65239981bad                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

2. Do a curl request to volume create with "multiattach": "true" parameter in the request body
NOTE: Make sure to replace the token ID in the request (-H "X-Auth-Token: <token ID>") with the token ID generated above

$ curl -g -i -X POST http://127.0.0.1/volume/v3/94731cadb0604f95b227b6b28052155c/volumes -H "Accept: application/json" -H "Content-Type: application/json" -H "OpenStack-API-Version: volume 3.70" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: gAAAAABk3i0-JyXOaU5cMo6Mvg8W-FvLRJWvD9Yr4TQSoyU2pHo8gJ87i0aHwyx21U8RKG_yBRy9QSfaeOOs83DBJYGdtrVLjER9oaWUVQk-8qYEqiNIdL6YGJ_zyBqzf4_glUhlevshCvfgKSeafUuHbJ2Dy8kqQmAaJHVg8ZsTL8QNap9Ufk0" -d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id": null, "name": null, "description": null, "volume_type": null, "availability_zone": null, "metadata": {}, "imageRef": null, "source_volid": null, "backup_id": null, "multiattach": "true"}}'
HTTP/1.1 400 Bad Request
Date: Thu, 17 Aug 2023 14:24:05 GMT
Server: Apache/2.4.52 (Ubuntu)
OpenStack-API-Version: volume 3.70
Vary: OpenStack-API-Version
Content-Length: 261
Content-Type: application/json
x-compute-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a
x-openstack-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a
Connection: close

{"badRequest": {"code": 400, "message": "multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes."}}

3. Confirm that it fails with a BadRequest (HTTP 400) with the following message

multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes.

Thanks
Rajat Dhasmana