Bug 2184834 - [17.1] Multiattach volumes should be created by volume type only
Summary: [17.1] Multiattach volumes should be created by volume type only
Keywords:
Status: MODIFIED
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder
Version: 17.1 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: z1
: 17.1
Assignee: Rajat Dhasmana
QA Contact: Yosi Ben Shimon
Ian Frangs
URL:
Whiteboard:
Depends On: 2184840
Blocks: 2175217
TreeView+ depends on / blocked
 
Reported: 2023-04-05 21:55 UTC by Brian Rosmaita
Modified: 2023-08-17 15:04 UTC (History)
11 users (show)

Fixed In Version: openstack-cinder-18.2.2-17.1.20230726051053.f6b44fc.el9osttrunk
Doc Type: Known Issue
Doc Text:
The Block Storage API supports the creation of a Block Storage multi-attach volume by passing a parameter in the volume-create request, even though this method of creating multi-attach volume has been deprecated for removal because it is unsafe and can lead to data loss when creating a multi-attach volume on a back end that does not support multi-attach volumes. Workaround: create a multi-attach volume by using a multi-attach volume-type, which is the only method of creating multi-attach volumes provided by the `openstack` and `cinder` CLI.
Clone Of: 2175217
Environment:
Last Closed:
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Launchpad 2008259 0 None None None 2023-04-05 21:58:35 UTC
OpenStack gerrit 874865 0 None MERGED Remove multiatttach request parameter 2023-08-11 19:16:54 UTC
Red Hat Issue Tracker OSP-24012 0 None None None 2023-04-05 21:56:38 UTC

Description Brian Rosmaita 2023-04-05 21:55:23 UTC
+++ This bug was initially created as a clone of Bug #2175217 +++

Description of problem:
The multiattach functionality is restricted to a multiattach volume type that must be created by an admin. A cinder API bug allows non-admin users to create multiattach volumes without the multiattach volume type which can corrupt their data

How reproducible:
Make a volume-create request directly to the Block Storage API v3 (don't use the cinderclient or openstackclient) and include '"multiattach": true' in the request body.

Expected results:
Request should be rejected with a HTTP 400 (Bad Request) response.

Actual results:
Volume creation succeeds and the volume-show response indicates that the volume can be multiattached.  User can accidentally corrupt data by creating a multiattach volume without the correct volume type.


Additional info:

https://bugs.launchpad.net/cinder/+bug/2008259

Comment 6 Brian Rosmaita 2023-07-18 13:03:04 UTC
https://issues.redhat.com/browse/OSP-26512 is showing this as approved for z1 (though the exception flag hasn't been updated to exception+ on this BZ).

Comment 15 Rajat Dhasmana 2023-08-17 14:31:02 UTC
Hi,

Following are the steps to test the "old" behavior that allowed creating volumes with "multiatach" parameter which is blocked now by the API.

1. Issue a keystone token

$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2023-08-17T15:22:54+0000                                                                                                                                                                |
| id         | <token ID>                                                                                                                                                                              |
| project_id | 94731cadb0604f95b227b6b28052155c                                                                                                                                                        |
| user_id    | 7c4037b7cf97412288c2d65239981bad                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

2. Do a curl request to volume create with "multiattach": "true" parameter in the request body
NOTE: Make sure to replace the token ID in the request (-H "X-Auth-Token: <token ID>") with the token ID generated above

$ curl -g -i -X POST http://127.0.0.1/volume/v3/94731cadb0604f95b227b6b28052155c/volumes -H "Accept: application/json" -H "Content-Type: application/json" -H "OpenStack-API-Version: volume 3.70" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: gAAAAABk3i0-JyXOaU5cMo6Mvg8W-FvLRJWvD9Yr4TQSoyU2pHo8gJ87i0aHwyx21U8RKG_yBRy9QSfaeOOs83DBJYGdtrVLjER9oaWUVQk-8qYEqiNIdL6YGJ_zyBqzf4_glUhlevshCvfgKSeafUuHbJ2Dy8kqQmAaJHVg8ZsTL8QNap9Ufk0" -d '{"volume": {"size": 1, "consistencygroup_id": null, "snapshot_id": null, "name": null, "description": null, "volume_type": null, "availability_zone": null, "metadata": {}, "imageRef": null, "source_volid": null, "backup_id": null, "multiattach": "true"}}'
HTTP/1.1 400 Bad Request
Date: Thu, 17 Aug 2023 14:24:05 GMT
Server: Apache/2.4.52 (Ubuntu)
OpenStack-API-Version: volume 3.70
Vary: OpenStack-API-Version
Content-Length: 261
Content-Type: application/json
x-compute-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a
x-openstack-request-id: req-3c66d8d2-4039-4f4c-8a1d-7e7a5cc8529a
Connection: close

{"badRequest": {"code": 400, "message": "multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes."}}

3. Confirm that it fails with a BadRequest (HTTP 400) with the following message

multiattach parameter has been removed. The default behavior is to use multiattach enabled volume types. Contact your administrator to create a multiattach enabled volume type and use it to create multiattach volumes.

Thanks
Rajat Dhasmana


Note You need to log in before you can comment on or make changes to this bug.