dd6010a9f7
Due to how the Linux SCSI kernel driver works there are some storage
systems, such as iSCSI with shared targets, where a normal user can
access other projects' volume data connected to the same compute host
using the attachments REST API.
This affects both single and multi-pathed connections.
To prevent users from doing this, unintentionally or maliciously,
cinder-api will now reject some delete attachment requests that are
deemed unsafe.
Cinder will process the delete attachment request normally in the
following cases:
- The request comes from an OpenStack service that is sending the
service token that has one of the roles in `service_token_roles`.
- Attachment doesn't have an instance_uuid value
- The instance for the attachment doesn't exist in Nova
- According to Nova the volume is not connected to the instance
- Nova is not using this attachment record
There are 3 operations in the actions REST API endpoint that can be used
for an attack:
- `os-terminate_connection`: Terminate volume attachment
- `os-detach`: Detach a volume
- `os-force_detach`: Force detach a volume
In this endpoint we just won't allow most requests not coming from a
service. The rules we apply are the same as for attachment delete
explained earlier, but in this case we may not have the attachment id
and be more restrictive. This should not be a problem for normal
operations because:
- Cinder backup doesn't use the REST API but RPC calls via RabbitMQ
- Glance doesn't use this interface
Checking whether it's a service or not is done at the cinder-api level
by checking that the service user that made the call has at least one of
the roles in the `service_token_roles` configuration. These roles are
retrieved from keystone by the keystone middleware using the value of
the "X-Service-Token" header.
If Cinder is configured with `service_token_roles_required = true` and
an attacker provides non-service valid credentials the service will
return a 401 error, otherwise it'll return 409 as if a normal user had
made the call without the service token.
Closes-Bug: #2004555
Change-Id: I612905a1bf4a1706cce913c0d8a6df7a240d599a
(cherry picked from commit 6df1839bdf
)
Conflicts:
cinder/exception.py
399 lines
8.6 KiB
ReStructuredText
399 lines
8.6 KiB
ReStructuredText
.. -*- rst -*-
|
|
|
|
Attachments (attachments)
|
|
=========================
|
|
|
|
Lists all, lists all with details, shows details for, creates, and
|
|
deletes attachment.
|
|
|
|
.. note:: Everything except for `Complete attachment` is new as of the 3.27
|
|
microversion. `Complete attachment` is new as of the 3.44
|
|
microversion.
|
|
|
|
When you create, list, update, or delete attachment, the possible
|
|
status values are:
|
|
|
|
**VolumeAttachment statuses**
|
|
|
|
+------------------+--------------------------------------------------------+
|
|
| Status | Description |
|
|
+------------------+--------------------------------------------------------+
|
|
| attached | A volume is attached for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| attaching | A volume is attaching for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| detached | A volume is detached for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| reserved | A volume is reserved for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| error_attaching | A volume is error attaching for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| error_detaching | A volume is error detaching for the attachment. |
|
|
+------------------+--------------------------------------------------------+
|
|
| deleted | The attachment is deleted. |
|
|
+------------------+--------------------------------------------------------+
|
|
|
|
|
|
Delete attachment
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: DELETE /v3/{project_id}/attachments/{attachment_id}
|
|
|
|
Deletes an attachment.
|
|
|
|
For security reasons (see bug `#2004555
|
|
<https://bugs.launchpad.net/nova/+bug/2004555>`_) the Block Storage API rejects
|
|
REST API calls manually made from users with a 409 status code if there is a
|
|
Nova instance currently using the attachment, which happens when all the
|
|
following conditions are met:
|
|
|
|
- Attachment has an instance uuid
|
|
- VM exists in Nova
|
|
- Instance has the volume attached
|
|
- Attached volume in instance is using the attachment
|
|
|
|
Calls coming from other OpenStack services (like the Compute Service) are
|
|
always accepted.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
- 404
|
|
- 409
|
|
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- attachment_id: attachment_id_path
|
|
|
|
|
|
Show attachment details
|
|
~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: GET /v3/{project_id}/attachments/{attachment_id}
|
|
|
|
Shows details for an attachment.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
- 404
|
|
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- attachment_id: attachment_id_path
|
|
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- status: status_attachment
|
|
- detached_at: detached_at
|
|
- connection_info: connection_info
|
|
- attached_at: attached_at
|
|
- attach_mode: attach_mode_required
|
|
- instance: instance_uuid_req
|
|
- volume_id: volume_id_attachment
|
|
- id: attachment_id_required
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: ./samples/attachment-show-response.json
|
|
:language: javascript
|
|
|
|
|
|
List attachments with details
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: GET /v3/{project_id}/attachments/detail
|
|
|
|
Lists all attachments with details. Since v3.31 if non-admin
|
|
users specify invalid filters in the url, API will return bad request.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- all_tenants: all-tenants
|
|
- sort: sort
|
|
- limit: limit
|
|
- offset: offset
|
|
- marker: marker
|
|
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- status: status_attachment
|
|
- detached_at: detached_at
|
|
- connection_info: connection_info
|
|
- attached_at: attached_at
|
|
- attach_mode: attach_mode_required
|
|
- instance: instance_uuid_req
|
|
- volume_id: volume_id_attachment
|
|
- id: attachment_id_required
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: ./samples/attachment-list-detailed-response.json
|
|
:language: javascript
|
|
|
|
List attachments
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: GET /v3/{project_id}/attachments
|
|
|
|
Lists all attachments, since v3.31 if non-admin users
|
|
specify invalid filters in the url, API will return bad request.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- all_tenants: all-tenants
|
|
- sort: sort
|
|
- limit: limit
|
|
- offset: offset
|
|
- marker: marker
|
|
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- status: status_attachment
|
|
- instance: instance_uuid_req
|
|
- volume_id: volume_id_attachment
|
|
- id: attachment_id_required
|
|
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: ./samples/attachment-list-response.json
|
|
:language: javascript
|
|
|
|
|
|
Create attachment
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: POST /v3/{project_id}/attachments
|
|
|
|
Creates an attachment.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
- 404
|
|
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- attachment: attachment
|
|
- instance_uuid: instance_uuid
|
|
- connector: connector
|
|
- volume_uuid: volume_id_attachment
|
|
- mode: attach_mode
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: ./samples/attachment-create-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- attachment: attachment
|
|
- status: status_attachment
|
|
- detached_at: detached_at
|
|
- connection_info: connection_info
|
|
- attached_at: attached_at
|
|
- attach_mode: attach_mode_required
|
|
- instance: instance_uuid_req
|
|
- volume_id: volume_id_attachment
|
|
- id: attachment_id_required
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: ./samples/attachment-create-response.json
|
|
:language: javascript
|
|
|
|
|
|
Update an attachment
|
|
~~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: PUT /v3/{project_id}/attachments/{attachment_id}
|
|
|
|
Update a reserved attachment record with connector information
|
|
and set up the appropriate connection_info from the driver.
|
|
|
|
Available starting in the 3.27 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 200
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
- 404
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- attachment_id: attachment_id_path
|
|
- attachement: attachment
|
|
- connector: connector_required
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: ./samples/attachment-update-request.json
|
|
:language: javascript
|
|
|
|
Response Parameters
|
|
-------------------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- attachment: attachment
|
|
- status: status_attachment
|
|
- detached_at: detached_at
|
|
- connection_info: connection_info
|
|
- attached_at: attached_at
|
|
- attach_mode: attach_mode_required
|
|
- instance: instance_uuid_req
|
|
- volume_id: volume_id_attachment
|
|
- id: attachment_id_required
|
|
|
|
Response Example
|
|
----------------
|
|
|
|
.. literalinclude:: ./samples/attachment-update-response.json
|
|
:language: javascript
|
|
|
|
|
|
Complete attachment
|
|
~~~~~~~~~~~~~~~~~~~
|
|
|
|
.. rest_method:: POST /v3/{project_id}/attachments/{attachment_id}/action
|
|
|
|
Complete an attachment for a cinder volume.
|
|
|
|
Available starting in the 3.44 microversion.
|
|
|
|
Response codes
|
|
--------------
|
|
|
|
.. rest_status_code:: success ../status.yaml
|
|
|
|
- 204
|
|
|
|
.. rest_status_code:: error ../status.yaml
|
|
|
|
- 400
|
|
- 404
|
|
|
|
|
|
Request
|
|
-------
|
|
|
|
.. rest_parameters:: parameters.yaml
|
|
|
|
- project_id: project_id_path
|
|
- attachment_id: attachment_id_path
|
|
|
|
Request Example
|
|
---------------
|
|
|
|
.. literalinclude:: ./samples/attachment-complete.json
|
|
:language: javascript
|