cinder/doc
Gorka Eguileor dd6010a9f7 Reject unsafe delete attachment calls
Due to how the Linux SCSI kernel driver works there are some storage
systems, such as iSCSI with shared targets, where a normal user can
access other projects' volume data connected to the same compute host
using the attachments REST API.

This affects both single and multi-pathed connections.

To prevent users from doing this, unintentionally or maliciously,
cinder-api will now reject some delete attachment requests that are
deemed unsafe.

Cinder will process the delete attachment request normally in the
following cases:

- The request comes from an OpenStack service that is sending the
  service token that has one of the roles in `service_token_roles`.
- Attachment doesn't have an instance_uuid value
- The instance for the attachment doesn't exist in Nova
- According to Nova the volume is not connected to the instance
- Nova is not using this attachment record

There are 3 operations in the actions REST API endpoint that can be used
for an attack:

- `os-terminate_connection`: Terminate volume attachment
- `os-detach`: Detach a volume
- `os-force_detach`: Force detach a volume

In this endpoint we just won't allow most requests not coming from a
service. The rules we apply are the same as for attachment delete
explained earlier, but in this case we may not have the attachment id
and be more restrictive.  This should not be a problem for normal
operations because:

- Cinder backup doesn't use the REST API but RPC calls via RabbitMQ
- Glance doesn't use this interface

Checking whether it's a service or not is done at the cinder-api level
by checking that the service user that made the call has at least one of
the roles in the `service_token_roles` configuration. These roles are
retrieved from keystone by the keystone middleware using the value of
the "X-Service-Token" header.

If Cinder is configured with `service_token_roles_required = true` and
an attacker provides non-service valid credentials the service will
return a 401 error, otherwise it'll return 409 as if a normal user had
made the call without the service token.

Closes-Bug: #2004555
Change-Id: I612905a1bf4a1706cce913c0d8a6df7a240d599a
(cherry picked from commit 6df1839bdf)
Conflicts:
	cinder/exception.py
2023-05-10 19:52:39 +02:00
..
ext Make docs build parallel 2020-10-22 10:28:01 -05:00
source Reject unsafe delete attachment calls 2023-05-10 19:52:39 +02:00
test docs: Remove unnecessary 'blockstorage-' prefix 2022-02-20 19:06:32 +00:00
.gitignore Make doc/source directory compliant with design in spec 2017-07-19 15:59:02 -05:00
README.rst Update and replace http with https for doc links in Cinder 2017-07-27 09:58:23 +00:00
requirements.txt docs: Add whereto for testing redirect rules 2022-02-20 19:05:46 +00:00

Cinder Development Docs

Files under this directory tree are used for generating the documentation for the Cinder source code.

Developer documentation is built to: https://docs.openstack.org/cinder/latest/

Tools

Sphinx

The Python Sphinx package is used to generate the documentation output. Information on Sphinx, including formatting information for RST source files, can be found in the Sphinx online documentation.

Graphviz

Some of the diagrams are generated using the dot language from Graphviz. See the Graphviz documentation for Graphviz and dot language usage information.

Building Documentation

Doc builds are performed using tox with the docs target:

% cd ..
% tox -e docs