Description of problem: The possibility to set different default_volume_type for different tenants. Customer has DCs in various geos separated in different tenants and also has separated the storage DCs by geos in three cinder pacemaker clusters of three nodes, one for each Cinder Availability Zone. Currently a volume_type where the tenant has access to can be set in cli or horizon while creating a volume and create volumes accordingly. But when creating a volume and volume_type is left blank, the volume is created by default_volume_type which is also left blank and is created under volume-type where the tenant should not even have access to. This also means volume is created and shared from different(distant) cinder AZ. Example: [osp](ES_admin_LAB)$ cinder service-list +------------------+---------------------+------------+---------+-------+----------------------------+-----------------+ | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason | +------------------+---------------------+------------+---------+-------+----------------------------+-----------------+ | cinder-backup | cvs1lci-az1 | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:28.000000 | - | | cinder-backup | cvs1lci-az2 | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:25.000000 | - | | cinder-backup | cvs1lci-az3 | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:27.000000 | - | | cinder-scheduler | cvs1lci-az1 | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:22.000000 | - | | cinder-scheduler | cvs1lci-az2 | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:29.000000 | - | | cinder-scheduler | cvs1lci-az3 | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:31.000000 | - | | cinder-volume | cvs1lci-az1@ALL_STD | TC_LAB-I-1 | enabled | down | - | - | | cinder-volume | cvs1lci-az1@ES_ADV | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:28.000000 | - | | cinder-volume | cvs1lci-az1@ES_STD | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:28.000000 | - | | cinder-volume | cvs1lci-az1@PT_ADV | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:28.000000 | - | | cinder-volume | cvs1lci-az1@PT_STD | TC_LAB-I-1 | enabled | up | 2017-06-26T11:50:28.000000 | - | | cinder-volume | cvs1lci-az2@ALL_STD | TC_LAB-I-2 | enabled | down | - | - | | cinder-volume | cvs1lci-az2@ES_ADV | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:25.000000 | - | | cinder-volume | cvs1lci-az2@ES_STD | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:25.000000 | - | | cinder-volume | cvs1lci-az2@PT_ADV | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:25.000000 | - | | cinder-volume | cvs1lci-az2@PT_STD | TC_LAB-I-2 | enabled | up | 2017-06-26T11:50:25.000000 | - | | cinder-volume | cvs1lci-az3@ALL_STD | TC_LAB-I-3 | enabled | down | - | - | | cinder-volume | cvs1lci-az3@ES_ADV | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:26.000000 | - | | cinder-volume | cvs1lci-az3@ES_STD | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:27.000000 | - | | cinder-volume | cvs1lci-az3@PT_ADV | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:26.000000 | - | | cinder-volume | cvs1lci-az3@PT_STD | TC_LAB-I-3 | enabled | up | 2017-06-26T11:50:26.000000 | - | +------------------+---------------------+------------+---------+-------+----------------------------+-----------------+ [osp](ES_admin_LAB)$ cinder type-list +--------------------------------------+---------------+-------------+-----------+ | ID | Name | Description | Is_Public | +--------------------------------------+---------------+-------------+-----------+ | 4e4a2823-2538-4cd2-be49-d19029414826 | vtype-PT_STD | - | False | | 6106281f-9eaf-4332-8a06-4d096756629c | vtype-ES_ADV | - | False | | 8f4c6da2-d290-4d9c-b8f2-1168bcf4732b | vtype-PT_ADV | - | False | | c2ddd91d-9c5b-4ef3-96ee-68e321109177 | vtype-ES_STD | - | False | | c845902e-3021-4f9b-abc8-193c6c856ec6 | vtype-ALL_STD | - | True | +--------------------------------------+---------------+-------------+-----------+ [osp](ES_admin_LAB)$ cinder extra-specs-list +--------------------------------------+---------------+-----------------------------------+ | ID | Name | extra_specs | +--------------------------------------+---------------+-----------------------------------+ | 4e4a2823-2538-4cd2-be49-d19029414826 | vtype-PT_STD | {'volume_backend_name': 'PT_STD'} | | 6106281f-9eaf-4332-8a06-4d096756629c | vtype-ES_ADV | {'volume_backend_name': 'ES_ADV'} | | 8f4c6da2-d290-4d9c-b8f2-1168bcf4732b | vtype-PT_ADV | {'volume_backend_name': 'PT_ADV'} | | c2ddd91d-9c5b-4ef3-96ee-68e321109177 | vtype-ES_STD | {'volume_backend_name': 'ES_STD'} | | c845902e-3021-4f9b-abc8-193c6c856ec6 | vtype-ALL_STD | {'netapp:Prueba_VTYPES': None} | +--------------------------------------+---------------+-----------------------------------+ Projects 23bddb70198b42fbb8cc48c00ef0aa1e iaas-es-poc-01 621f1bb5601c4de0a121093b6f2896bd admin 6233f4dd50304c809e147226134166b0 iaas-es-dev-01 7a9d80187be44fde950308bdc50f372e Automate 85e9dc5e7ca24603849715ee0af35cf6 cloudpulse 8cda6858a6114dc08446a9f767fb1e11 benchmarking 9dfd82aa4c6a4f65b71742133f0981f2 services d796c8573b3f44b1b607c5a16e4a590d Compute fa22d454f1584d5cb9ae42eca258da50 iaas-es-dev-02 [osp](ES_admin_LAB)$ cinder type-access-list --volume-type 4e4a2823-2538-4cd2-be49-d19029414826 +--------------------------------------+----------------------------------+ | Volume_type_ID | Project_ID | +--------------------------------------+----------------------------------+ | 4e4a2823-2538-4cd2-be49-d19029414826 | 23bddb70198b42fbb8cc48c00ef0aa1e | | 4e4a2823-2538-4cd2-be49-d19029414826 | 621f1bb5601c4de0a121093b6f2896bd | | 4e4a2823-2538-4cd2-be49-d19029414826 | 85e9dc5e7ca24603849715ee0af35cf6 | | 4e4a2823-2538-4cd2-be49-d19029414826 | 8cda6858a6114dc08446a9f767fb1e11 | | 4e4a2823-2538-4cd2-be49-d19029414826 | 9dfd82aa4c6a4f65b71742133f0981f2 | | 4e4a2823-2538-4cd2-be49-d19029414826 | fa22d454f1584d5cb9ae42eca258da50 | +--------------------------------------+----------------------------------+ [root@cvs1lco01 ~(keystone_admin)]# df -h | grep cinder /dev/mapper/APLIvg-lv_cinder_logs 10G 105M 9.9G 2% /var/log/cinder 20.48.22.31:/VES1T0Z1_ES_CLOUD_cinderIMG 18G 18M 18G 1% /var/lib/cinder/conversion 20.48.22.32:/VES1T0Z1_ES_CLOUD_bkp1 922G 88M 922G 1% /var/lib/cinder/backup_mount/a8de15e3a2d7786a2db0bae7146b0f18 20.48.22.32:/VES1T0Z1_ES_CLOUD_cinder2 1.9T 3.2G 1.8T 1% /var/lib/cinder/mnt/6e9dbd01c2fbae27fccf24fa0c058f6e 20.48.22.52:/VPT1T0Z1_PT_CLOUD_cinder1 1.9T 1.7G 1.8T 1% /var/lib/cinder/mnt/6339a85806d43625e678ddc8d6acfd22 20.48.22.31:/VES1T0Z1_ES_CLOUD_cinder1 1.9T 1.7G 1.8T 1% /var/lib/cinder/mnt/eaa72f0be11dea1251be5ed325f3ada2 20.48.22.54:/VPT1T0Z1_PT_CLOUD_cinder2 1.7T 1.4M 1.7T 1% /var/lib/cinder/mnt/b4a791c3631830ab0dd425d3a5dfb49c [root@cvs1lco01 ~(keystone_admin)]# cat /etc/cinder/ES_ADV.shares # Ansible managed 20.48.22.32:/VES1T0Z1_ES_CLOUD_cinder2 [root@cvs1lco01 ~(keystone_admin)]# cat /etc/cinder/PT_STD.shares # Ansible managed 20.48.22.52:/VPT1T0Z1_PT_CLOUD_cinder1 From compute user: [osp][(ES_compute_lab)$ cinder type-list +--------------------------------------+---------------+-------------+-----------+ | ID | Name | Description | Is_Public | +--------------------------------------+---------------+-------------+-----------+ | 6106281f-9eaf-4332-8a06-4d096756629c | vtype-ES_ADV | - | False | | c2ddd91d-9c5b-4ef3-96ee-68e321109177 | vtype-ES_STD | - | False | | c845902e-3021-4f9b-abc8-193c6c856ec6 | vtype-ALL_STD | - | True | +--------------------------------------+---------------+-------------+-----------+ [osp][(ES_compute_lab)$ openstack volume create --availability-zone TC_LAB-I-1 --size 3 --type vtype-ES_ADV vol-priv-01 +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | attachments | [] | | availability_zone | TC_LAB-I-1 | | bootable | false | | consistencygroup_id | None | | created_at | 2017-06-26T12:04:53.608402 | | description | None | | encrypted | False | | id | 9ada4abc-8999-407c-97de-56f10ea9b9f6 | | multiattach | False | | name | vol-priv-01 | | properties | | | replication_status | disabled | | size | 3 | | snapshot_id | None | | source_volid | None | | status | creating | | type | vtype-ES_ADV | | user_id | a79f72aff03b47c4ab62942b306dd536 | +---------------------+--------------------------------------+ [root@cvs1lco01 ~(keystone_admin)]# ll /var/lib/cinder/mnt/6e9dbd01c2fbae27fccf24fa0c058f6e/volume-9ada4abc-8999-407c-97de-56f10ea9b9f6 -rw-rw-rw-. 1 root root 3221225472 Jun 26 14:04 /var/lib/cinder/mnt/6e9dbd01c2fbae27fccf24fa0c058f6e/volume-9ada4abc-8999-407c-97de-56f10ea9b9f6 [osp][(ES_compute_lab)$ openstack volume create --availability-zone TC_LAB-I-1 --size 3 vol-priv-02 +---------------------+--------------------------------------+ | Field | Value | +---------------------+--------------------------------------+ | attachments | [] | | availability_zone | TC_LAB-I-1 | | bootable | false | | consistencygroup_id | None | | created_at | 2017-06-26T12:07:31.786396 | | description | None | | encrypted | False | | id | d5d7fa13-7eea-458b-ace5-f24738d4386f | | multiattach | False | | name | vol-priv-02 | | properties | | | replication_status | disabled | | size | 3 | | snapshot_id | None | | source_volid | None | | status | creating | | type | None | | user_id | a79f72aff03b47c4ab62942b306dd536 | +---------------------+--------------------------------------+ [root@cvs1lco01 ~(keystone_admin)]# ll /var/lib/cinder/mnt/6339a85806d43625e678ddc8d6acfd22/volume-d5d7fa13-7eea-458b-ace5-f24738d4386f -rw-rw-rw-. 1 root root 3221225472 Jun 26 14:07 /var/lib/cinder/mnt/6339a85806d43625e678ddc8d6acfd22/volume-d5d7fa13-7eea-458b-ace5-f24738d4386f For example the people of iaas-es-poc-01 project, only should be access to vtype-PT_STD and vtype-PT_ADV, and the people of Compute project, only should be access to vtype-ES_STD and vtype-ES_ADV. The problem is that if no vtype is chosen, the volume is created like type = None, in the share of vtype-PT_STD. If no vtype is defined, cinder choose in which share will be created, but should be created in one of the shares of the vtypes that tenant has access to (vtype-ES_STD and vtype-ES_ADV), not in the share of vtype-PT_STD. There's no "default_volume_type" defined. This is because if "vtype-ES_STD" is selected for instance, all works for Spain projects, but when the people of Peru, Chile, Portugal create a default volume they will use the shares of Spain. Version-Release number of selected component (if applicable): penstack-cinder-7.0.3-1.el7ost.noarch Wed Apr 19 09:41:48 2017 python-cinder-7.0.3-1.el7ost.noarch Wed Apr 19 09:40:44 2017 python-cinderclient-1.5.0-1.el7ost.noarch Wed Apr 19 09:40:23 2017 How reproducible: always Steps to Reproduce: 1. 2. 3. Actual results: volume is created outside of volume-types available to the tenant Expected results: volume is created only in volume-types available to the tenant Additional info:
We need to evaluate the this one. If existing functionality in OSP8 doesn't address it would have to a new feature in a future cinder release.
Hello. Is it possible to provide a follow-up regarding this RFE? Are there any estimates? Regards, Alex S.
Verified on: openstack-cinder-18.2.1-0.20220705150903.1776695.el9ost.noarch Feature passed a manual test plan execution as expected, all the tests passed fine. There is one minor issue to notice, in order to get the new API calls working at least at the current state, we have to either enable RBAC, as new command was created in mind that RBAC would be deployed, which isn't certain at least not yet. Or you can bypass RBAC usage by manually creating a limited policy.yaml file under Cinder's config path, all that is needed is this line: 'volume_extension:default_get_all': 'rule:admin_api' After using either of these above methods the RFE and it's accompanying API calls works fine. Notice deploying with RBAC will affect other aspects/components of the deployment thus should be considered carefully. If we try to use new API calls before enabling RBAC/limited policy file, we get an error similar to this: NOTE: this is a system admin only policy, you need to override it for project admin to make this work Other than this issue we're good to verify.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:6543