openstack
/
cinder
Code Issues Proposed changes
OpenStack Block Storage (Cinder)
19,343 Commits 9 Branches 67 Tags 887 MiB
Python 99.7%
Smarty 0.3%
Go to file
Gorka Eguileor 68fdc32336 Reject unsafe delete attachment calls 
Due to how the Linux SCSI kernel driver works there are some storage
systems, such as iSCSI with shared targets, where a normal user can
access other projects' volume data connected to the same compute host
using the attachments REST API.

This affects both single and multi-pathed connections.

To prevent users from doing this, unintentionally or maliciously,
cinder-api will now reject some delete attachment requests that are
deemed unsafe.

Cinder will process the delete attachment request normally in the
following cases:

- The request comes from an OpenStack service that is sending the
  service token that has one of the roles in `service_token_roles`.
- Attachment doesn't have an instance_uuid value
- The instance for the attachment doesn't exist in Nova
- According to Nova the volume is not connected to the instance
- Nova is not using this attachment record

There are 3 operations in the actions REST API endpoint that can be used
for an attack:

- `os-terminate_connection`: Terminate volume attachment
- `os-detach`: Detach a volume
- `os-force_detach`: Force detach a volume

In this endpoint we just won't allow most requests not coming from a
service. The rules we apply are the same as for attachment delete
explained earlier, but in this case we may not have the attachment id
and be more restrictive.  This should not be a problem for normal
operations because:

- Cinder backup doesn't use the REST API but RPC calls via RabbitMQ
- Glance doesn't use this interface

Checking whether it's a service or not is done at the cinder-api level
by checking that the service user that made the call has at least one of
the roles in the `service_token_roles` configuration. These roles are
retrieved from keystone by the keystone middleware using the value of
the "X-Service-Token" header.

If Cinder is configured with `service_token_roles_required = true` and
an attacker provides non-service valid credentials the service will
return a 401 error, otherwise it'll return 409 as if a normal user had
made the call without the service token.

Closes-Bug: #2004555
Change-Id: I612905a1bf4a1706cce913c0d8a6df7a240d599a
(cherry picked from commit 6df1839bdf)
Conflicts:
        cinder/exception.py
(cherry picked from commit dd6010a9f7)
(cherry picked from commit cb4682fb83)
Conflicts:
        cinder/exception.py
(cherry picked from commit a66f4afa22)
Conflicts:
	cinder/compute/nova.py
	cinder/tests/unit/attachments/test_attachments_api.py
	cinder/volume/api.py
 		2023-05-10 20:01:48 +02:00
api-ref/source Reject unsafe delete attachment calls 2023-05-10 20:01:48 +02:00
cinder Reject unsafe delete attachment calls 2023-05-10 20:01:48 +02:00
contrib/block-box Remove Block Storage API v2 2021-06-04 17:21:28 -04:00
doc Reject unsafe delete attachment calls 2023-05-10 20:01:48 +02:00
etc/cinder Merge "Implement user visible extra specs" 2021-09-02 23:59:59 +00:00
playbooks Handle the case when tempest fails 2022-05-03 22:12:53 +02:00
rally-jobs Remove Block Storage API v2 2021-06-04 17:21:28 -04:00
releasenotes Reject unsafe delete attachment calls 2023-05-10 20:01:48 +02:00
roles Native multibackend-matrix Zuul v3 job 2021-09-08 01:05:44 +02:00
tools Native multibackend-matrix Zuul v3 job 2021-09-08 01:05:44 +02:00
.coveragerc Update .coveragerc after the removal of openstack directory 2016-10-17 19:09:37 +05:30
.gitignore Add mypy tox env 2020-10-14 08:24:13 -04:00
.gitreview Update .gitreview for stable/xena 2021-09-17 16:24:43 +00:00
.pylintrc pylint: Fix migration E1120 no-value-for-parameter 2021-04-16 13:05:21 +02:00
.stestr.conf Add .stestr.conf configuration 2017-10-10 00:46:42 +00:00
.zuul.yaml [stable-only] Pin tox <4 2023-01-04 18:12:10 -05:00
CONTRIBUTING.rst Ussuri contrib docs community goal 2020-03-05 14:11:48 -05:00
HACKING.rst Update HACKING document to match current checks 2020-04-17 15:09:13 +00:00
LICENSE Initial fork out of Nova. 2012-05-03 10:48:26 -07:00
README.rst Merge "Refactor README links" 2020-01-22 11:44:36 +00:00
bindep.txt Add libcgroup related packages in bindep.txt 2021-06-15 00:54:55 +00:00
driver-requirements.txt [Pure Storage] Fix minimum SDK version required 2021-06-28 18:40:25 -04:00
mypy-files.txt mypy: continued manager, scheduler, rpcapi 2021-08-11 08:36:09 -04:00
reno.yaml Update release note info 2021-04-16 11:11:41 -04:00
requirements.txt Use os-brick 5.0.1 2021-10-01 09:44:40 +00:00
setup.cfg [Pure Storage] Fix minimum SDK version required 2021-06-28 18:40:25 -04:00
setup.py Cleanup py27 support 2020-04-17 14:47:10 +02:00
test-requirements.txt Unpin flake8-logging-format 2022-08-09 08:21:24 -04:00
tox.ini [stable-only] Pin tox <4 2023-01-04 18:12:10 -05:00

README.rst

OpenStack Cinder

image

OpenStack Cinder is a storage service for an open cloud computing service.

You can learn more about Cinder at:

Getting Started

If you'd like to run from the master branch, you can clone the git repo:

git clone https://opendev.org/openstack/cinder

If you'd like to contribute, please see the information in CONTRIBUTING.rst

You can raise bugs on Launchpad

Python client

Python Cinderclient