openstack/cinder
Code Issues Proposed changes
3c6c2ee656
cinder/doc/source/install/index.rst
Gorka Eguileor 6df1839bdf Reject unsafe delete attachment calls 
Due to how the Linux SCSI kernel driver works there are some storage
systems, such as iSCSI with shared targets, where a normal user can
access other projects' volume data connected to the same compute host
using the attachments REST API.

This affects both single and multi-pathed connections.

To prevent users from doing this, unintentionally or maliciously,
cinder-api will now reject some delete attachment requests that are
deemed unsafe.

Cinder will process the delete attachment request normally in the
following cases:

- The request comes from an OpenStack service that is sending the
  service token that has one of the roles in `service_token_roles`.
- Attachment doesn't have an instance_uuid value
- The instance for the attachment doesn't exist in Nova
- According to Nova the volume is not connected to the instance
- Nova is not using this attachment record

There are 3 operations in the actions REST API endpoint that can be used
for an attack:

- `os-terminate_connection`: Terminate volume attachment
- `os-detach`: Detach a volume
- `os-force_detach`: Force detach a volume

In this endpoint we just won't allow most requests not coming from a
service. The rules we apply are the same as for attachment delete
explained earlier, but in this case we may not have the attachment id
and be more restrictive.  This should not be a problem for normal
operations because:

- Cinder backup doesn't use the REST API but RPC calls via RabbitMQ
- Glance doesn't use this interface anymore

Checking whether it's a service or not is done at the cinder-api level
by checking that the service user that made the call has at least one of
the roles in the `service_token_roles` configuration. These roles are
retrieved from keystone by the keystone middleware using the value of
the "X-Service-Token" header.

If Cinder is configured with `service_token_roles_required = true` and
an attacker provides non-service valid credentials the service will
return a 401 error, otherwise it'll return 409 as if a normal user had
made the call without the service token.

Closes-Bug: #2004555
Change-Id: I612905a1bf4a1706cce913c0d8a6df7a240d599a
2023-05-10 19:51:33 +02:00

53 lines
1.7 KiB
ReStructuredText
Raw Blame History

.. _cinder:
=========================
Cinder Installation Guide
=========================
The Block Storage service (cinder) provides block storage devices
to guest instances. The method in which the storage is provisioned and
consumed is determined by the Block Storage driver, or drivers
in the case of a multi-backend configuration. There are a variety of
drivers that are available: NAS/SAN, NFS, iSCSI, Ceph, and more.
The Block Storage API and scheduler services typically run on the controller
nodes. Depending upon the drivers used, the volume service can run
on controller nodes, compute nodes, or standalone storage nodes.
For more information, see the :doc:`Configuration
Reference </configuration/block-storage/volume-drivers>`.
Prerequisites
~~~~~~~~~~~~~
This documentation specifically covers the installation of the Cinder Block
Storage service. Before following this guide you will need to prepare your
OpenStack environment using the instructions in the
`OpenStack Installation Guide <https://docs.openstack.org/install-guide/>`_.
Once able to 'Launch an instance' in your OpenStack environment follow the
instructions below to add Cinder to the base environment.
Adding Cinder to your OpenStack Environment
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following links describe how to install the Cinder Block Storage Service:
.. warning::
For security reasons **Service Tokens must to be configured** in OpenStack
for Cinder to operate securely. Pay close attention to the :doc:`specific
section describing it: <../configuration/block-storage/service-token>`. See
https://bugs.launchpad.net/nova/+bug/2004555 for details.
.. toctree::
get-started-block-storage
index-obs
index-rdo
index-ubuntu
index-windows
View Git Blame Copy Permalink