+++ This bug was initially created as a clone of Bug #2175217 +++ Description of problem: The multiattach functionality is restricted to a multiattach volume type that must be created by an admin. A cinder API bug allows non-admin users to create multiattach volumes without the multiattach volume type which can corrupt their data How reproducible: Make a volume-create request directly to the Block Storage API v3 (don't use the cinderclient or openstackclient) and include '"multiattach": true' in the request body. Expected results: Request should be rejected with a HTTP 400 (Bad Request) response. Actual results: Volume creation succeeds and the volume-show response indicates that the volume can be multiattached. User can accidentally corrupt data by creating a multiattach volume without the correct volume type. Additional info: https://bugs.launchpad.net/cinder/+bug/2008259
https://issues.redhat.com/browse/OSP-26512 is showing this as approved for z1 (though the exception flag hasn't been updated to exception+ on this BZ).
Hi, Following are the steps to test the "old" behavior that allowed creating volumes with "multiatach" parameter which is blocked now by the API. 1. Issue a keystone token $ openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2023-08-17T15:22:54+0000 | | id | <token ID> | | project_id | 94731cadb0604f95b227b6b28052155c | | user_id | 7c4037b7cf97412288c2d65239981bad | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 2. Do a curl request to volume create with "multiattach": "true" parameter in the request body NOTE: Make sure to replace the token ID in the request (-H "X-Auth-Token: <token ID>") with the token ID generated above $ curl -g -i -X POST http://127.0.0.1/volume/v3/94731cadb0604f95b227b6b28052155c/volumes -H "Accept: application/json" -H "Content-Type: application/json" -H "OpenStack-API-Version: volume 3.70" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: gAAAAABk3i0-JyXOaU5cMo6Mvg8W-FvLRJWvD9Yr4TQSoyU2pHo8gJ87i0aHwyx21U8RKG_yBRy9QSfaeOOs83DBJYGdtrVLjER9oaWUVQk-8qYEqiNIdL6YGJ_zyBqzf4_glUhlevshCvfgKSeafUuHbJ2Dy8kqQmAaJHVg8ZsTL8QNap9Ufk0" -d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id": null, "name": null, "description": null, "volume_type": null, "availability_zone": null, "metadata": {}, "imageRef": null, "source_volid": null, "backup_id": null, "multiattach": "true"}}' HTTP/1.1 400 Bad Request Date: Thu, 17 Aug 2023 14:24:05 GMT Server: Apache/2.4.52 (Ubuntu) OpenStack-API-Version: volume 3.70 Vary: OpenStack-API-Version Content-Length: 261 Content-Type: application/json x-compute-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a x-openstack-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a Connection: close {"badRequest": {"code": 400, "message": "multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes."}} 3. Confirm that it fails with a BadRequest (HTTP 400) with the following message multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes. Thanks Rajat Dhasmana