Bug 2050773 - [OSP 17] accept transfer policy breaks volume transfer workflow [NEEDINFO]
Summary: [OSP 17] accept transfer policy breaks volume transfer workflow
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 17.0 (Wallaby)
Hardware: Unspecified
OS: Unspecified
urgent
medium
Target Milestone: ---
: ---
Assignee: Brian Rosmaita
QA Contact: Tzach Shefi
Andy Stillman
URL:
Whiteboard:
Depends On:
Blocks: 1326396
TreeView+ depends on / blocked
 
Reported: 2022-02-04 15:49 UTC by Brian Rosmaita
Modified: 2022-09-28 13:50 UTC (History)
4 users (show)

Fixed In Version: openstack-cinder-18.2.1-0.20220705150903.1776695.el9ost
Doc Type: Bug Fix
Doc Text:
Before this update, if an operator defined a custom value for the `volume:accept_transfer` policy that referred to the project_id of the user making the volume transfer accept request, the request would fail. This update removes a duplicate policy check that incorrectly compared the project_id of the requestor to the project_id associated with the volume before transfer. The check done at the Block Storage API layer will now function as expected.
Clone Of:
Environment:
Last Closed: 2022-09-21 12:18:58 UTC
Target Upstream Version:
Embargoed:
jamsmith: needinfo? (mgeary)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 1950474 0 None None None 2022-02-04 15:49:05 UTC
OpenStack gerrit 825046 0 None MERGED Volume transfers: Remove duplicate policy check 2022-02-04 15:56:11 UTC
Red Hat Issue Tracker OSP-12479 0 None None None 2022-02-04 16:03:55 UTC
Red Hat Product Errata RHEA-2022:6543 0 None None None 2022-09-21 12:19:23 UTC

Description Brian Rosmaita 2022-02-04 15:49:05 UTC
Description of problem: To accept a transfer, a user needs authorization to modify a resource that currenty isn't owned by a project the user is in.


Version-Release number of selected component (if applicable): This was detected in upstream Xena, but discovered a flaw that is also present in Wallaby (the basis for OSP 17).


Additional info: see the upstream bug; actually, the commit message on the upstream patch fixing this has better information.

Comment 1 Brian Rosmaita 2022-02-04 19:08:24 UTC
Fix is in openstack-cinder-18.1.1-0.20220128050359.30578a7.el9osttrunk ( https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1867007 ), which has the 'rhos-17.0-rhel-9-trunk-candidate' tag.

Comment 3 Tzach Shefi 2022-07-11 11:10:51 UTC
Verified on:
openstack-cinder-18.2.1-0.20220605050357.9a473fd.el9ost.noarch

Create two projects:
(overcloud) [stack@undercloud-0 ~]$ openstack project list
/usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior.
  warnings.warn('One or more Python packages bundled by this ansible-core distribution were already '
+----------------------------------+--------------------------------------+
| ID                               | Name                                 |
+----------------------------------+--------------------------------------+
| 0f33aca2085a42ddb303830c6b39c665 | tempest-ObjectTempUrlTest-1399483024 |
| 13bb617fb94f400f9c154f15e60fe231 | alt_demo                             |
| 14dd78157d004ec88949cc893e0d2de2 | service                              |
| 4675943a151f460b85601116bcfac13d | bar                                  |<
| 5ddbaef8a9674bbdbc3fe3a1335d44f7 | admin                                |
| 8ea12d6ce1bf4ab3990395fdc4a80fea | tempest-ObjectTempUrlTest-588597606  |
| 953821faff4941deae7fd7891ae572e8 | foo                                  |< 
| c7225b33718e42e1bd97715c4368d30b | demo                                 |
| e2683299014b4121aec62a1d7613d1b1 | tempest-ObjectTempUrlTest-812009441  |
+----------------------------------+--------------------------------------+

Create two users one in each project:
(overcloud) [stack@undercloud-0 ~]$ openstack user list
/usr/lib/python3.9/site-packages/ansible/_vendor/__init__.py:42: UserWarning: One or more Python packages bundled by this ansible-core distribution were already loaded (pyparsing). This may result in undefined behavior.
  warnings.warn('One or more Python packages bundled by this ansible-core distribution were already '
+----------------------------------+-----------------------------------------------------+
| ID                               | Name                                                |
+----------------------------------+-----------------------------------------------------+
| 431a13a569294fc1ab73ef879ac44552 | admin                                               |
..
| ea6ea02a9a8748a6b5124f5a9b487bd2 | foouser                                             |
| b10c7ca1b03145af8c762ba7f2846b25 | baruser                                             |
+----------------------------------+-----------------------------------------------------+

WIth foouser, create a volume:
overcloud) [stack@undercloud-0 ~]$ cinder create 1 --name FooVolume
+------------------------------+--------------------------------------+
| Property                     | Value                                |
+------------------------------+--------------------------------------+
| attachments                  | []                                   |
| availability_zone            | nova                                 |
| bootable                     | false                                |
| consistencygroup_id          | None                                 |
| created_at                   | 2022-07-11T10:44:07.000000           |
| description                  | None                                 |
| encrypted                    | False                                |
| id                           | 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 |
| metadata                     | {}                                   |
| multiattach                  | False                                |
| name                         | FooVolume                            |
| os-vol-tenant-attr:tenant_id | 953821faff4941deae7fd7891ae572e8     |
| replication_status           | None                                 |
| size                         | 1                                    |
| snapshot_id                  | None                                 |
| source_volid                 | None                                 |
| status                       | creating                             |
| updated_at                   | None                                 |
| user_id                      | ea6ea02a9a8748a6b5124f5a9b487bd2     |
| volume_type                  | tripleo_default                      |
+------------------------------+--------------------------------------+
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+-----------+------+-----------------+----------+-------------+
| ID                                   | Status    | Name      | Size | Volume Type     | Bootable | Attached to |
+--------------------------------------+-----------+-----------+------+-----------------+----------+-------------+
| 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 | available | FooVolume | 1    | tripleo_default | false    |             |
+--------------------------------------+-----------+-----------+------+-----------------+----------+-------------+


Foouser initiates a volume transfer:
[stack@undercloud-0 ~]$ cinder transfer-create FooVolume --name TransferFooVolume
+------------------------+--------------------------------------+
| Property               | Value                                |
+------------------------+--------------------------------------+
| accepted               | False                                |
| auth_key               | cc601f3f0fe7dcf0                     |
| created_at             | 2022-07-11T10:56:19.509302           |
| destination_project_id | None                                 |
| id                     | fe0d4de6-08cd-435f-b584-6488d0e0746a |
| name                   | TransferFooVolume                    |
| no_snapshots           | False                                |
| source_project_id      | 953821faff4941deae7fd7891ae572e8     |
| volume_id              | 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 |
+------------------------+--------------------------------------+

[stack@undercloud-0 ~]$  cinder transfer-list
+--------------------------------------+--------------------------------------+-------------------+
| ID                                   | Volume ID                            | Name              |
+--------------------------------------+--------------------------------------+-------------------+
| fe0d4de6-08cd-435f-b584-6488d0e0746a | 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 | TransferFooVolume |
+--------------------------------------+--------------------------------------+-------------------+

Baruser accepts the volume transfer:

(overcloud) [stack@undercloud-0 ~]$ cinder transfer-accept fe0d4de6-08cd-435f-b584-6488d0e0746a  cc601f3f0fe7dcf0
+-----------+--------------------------------------+
| Property  | Value                                |
+-----------+--------------------------------------+
| id        | fe0d4de6-08cd-435f-b584-6488d0e0746a |
| name      | TransferFooVolume                    |
| volume_id | 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 |
+-----------+--------------------------------------+

Yay volume is transferred:
(overcloud) [stack@undercloud-0 ~]$ cinder list
+--------------------------------------+-----------+------------+------+-----------------+----------+-------------+
| ID                                   | Status    | Name       | Size | Volume Type     | Bootable | Attached to |
+--------------------------------------+-----------+------------+------+-----------------+----------+-------------+
| 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 | available | FooVolume  | 1    | tripleo_default | false    |             |

Lets confirm ownership:
(overcloud) [stack@undercloud-0 ~]$ cinder show 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2
+------------------------------+--------------------------------------+
| Property                     | Value                                |
+------------------------------+--------------------------------------+
| attached_servers             | []                                   |
| attachment_ids               | []                                   |
| availability_zone            | nova                                 |
| bootable                     | false                                |
| consistencygroup_id          | None                                 |
| created_at                   | 2022-07-11T10:44:07.000000           |
| description                  | None                                 |
| encrypted                    | False                                |
| id                           | 3ab1dcfb-a9f9-45e3-8801-f16afc88eeb2 |
| metadata                     |                                      |
| multiattach                  | False                                |
| name                         | FooVolume                            |
| os-vol-tenant-attr:tenant_id | 4675943a151f460b85601116bcfac13d     |
| replication_status           | None                                 |
| size                         | 1                                    |
| snapshot_id                  | None                                 |
| source_volid                 | None                                 |
| status                       | available                            |
| updated_at                   | 2022-07-11T11:06:21.000000           |
| user_id                      | b10c7ca1b03145af8c762ba7f2846b25     | -> Yep user ID changed from the original foouser to baruser.
| volume_type                  | tripleo_default                      |
+------------------------------+--------------------------------------+


Cinder volume transfer works as expected, good to verify.

Comment 7 Brian Rosmaita 2022-09-07 13:03:39 UTC
Suggested revision for the doc text ... change the second sentence from

This update removes a duplicate policy check that incorrectly compared the project_id of the requestor to the project_id associated with the volume before transfer has been removed.

to

This update removes a duplicate policy check that incorrectly compared the project_id of the acceptor to the project_id associated with the volume before transfer.

Comment 11 errata-xmlrpc 2022-09-21 12:18:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543


Note You need to log in before you can comment on or make changes to this bug.