Cinder

Xena accept transfer policy breaks volume transfer workflow

Bug #1950474 reported by Lance Bragstad
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
Fix Released
High
Rajat Dhasmana
Cinder yoga-3 "20.0.0.0b3"
Xena
Fix Released
High
Rajat Dhasmana
Cinder 19.0.1 "xena-next"

Bug Description

We did a bunch of work during the Xena release to update the policies across cinder to support three consistent personas called project-admin, project-member, and project-reader.

These personas are inline with changes we're making across the rest of the OpenStack community for improving authorization user experience.

During the Xena cycle we updated the tranfer volume policy from being open to checking the user's project [0].

Unfortunately, this breaks the following work flow:

1. user in project foo puts a volume into transfer state
2. user in project foo gives volume ID to user in project bar to accept
3. user in project bar accepts the volume

Step 3 will fail because the user making the request has a token scoped to a project that isn't the volume's original project (foo).

Again, this didn't fail in the past since the policy defaulted to open (""). We should consider a policy change so that we don't break this flow since volume transfer is designed to share volumes between projects.

Sofia Enriquez (lsofia-enriquez)
Changed in cinder:
importance: Undecided → High
Sofia Enriquez (lsofia-enriquez)
tags: added: policy rbac
Brian Rosmaita (brian-rosmaita)
Changed in cinder:
assignee: nobody → Brian Rosmaita (brian-rosmaita)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/824131

Brian Rosmaita (brian-rosmaita)
Changed in cinder:
assignee: Brian Rosmaita (brian-rosmaita) → nobody
assignee: nobody → Rajat Dhasmana (whoami-rajat)
milestone: none → yoga-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (master)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/824131
Committed: https://opendev.org/openstack/cinder/commit/7ba9935a6e1e8a572391563927acb086fdbe5e5c
Submitter: "Zuul (22348)"
Branch: master

commit 7ba9935a6e1e8a572391563927acb086fdbe5e5c
Author: Rajat Dhasmana <email address hidden>
Date: Tue Jan 11 04:56:51 2022 -0500

    Volume transfers: Remove duplicate policy check

    There is an initial policy check in the transfers accept API[1]
    which validates correctly if the user is authorized to perform
    the operation or not. However, we've a duplicate check in the volume
    API layer which passes a target object (volume) while authorizing
    which is wrong for this API. While authorizing, we enforce check on
    the project id of the target object i.e. volume in this case which,
    before the transfer operation is completed, contains the project id
    of source project hence making the validation wrong.
    In the case of transfers API, any project is able to accept the transfer
    given they've the auth key required to secure the transfer accept
    So this patch removes the duplicate policy check.

    [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225

    Closes-Bug: #1950474
    Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be

Changed in cinder:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/cinder/+/824474

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/cinder/+/825046

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/824474
Committed: https://opendev.org/openstack/cinder/commit/46415541a790869d9f5a5a5cc821852730b98149
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 46415541a790869d9f5a5a5cc821852730b98149
Author: Rajat Dhasmana <email address hidden>
Date: Tue Jan 11 04:56:51 2022 -0500

    Volume transfers: Remove duplicate policy check

    There is an initial policy check in the transfers accept API[1]
    which validates correctly if the user is authorized to perform
    the operation or not. However, we've a duplicate check in the volume
    API layer which passes a target object (volume) while authorizing
    which is wrong for this API. While authorizing, we enforce check on
    the project id of the target object i.e. volume in this case which,
    before the transfer operation is completed, contains the project id
    of source project hence making the validation wrong.
    In the case of transfers API, any project is able to accept the transfer
    given they've the auth key required to secure the transfer accept
    So this patch removes the duplicate policy check.

    [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225

    Conflicts:
          cinder/volume/api.py

    Closes-Bug: #1950474
    Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be
    (cherry picked from commit 7ba9935a6e1e8a572391563927acb086fdbe5e5c)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/825046
Committed: https://opendev.org/openstack/cinder/commit/b86da5d4073d9c50aed90c4d6ae6884138be6b06
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit b86da5d4073d9c50aed90c4d6ae6884138be6b06
Author: Rajat Dhasmana <email address hidden>
Date: Tue Jan 11 04:56:51 2022 -0500

    Volume transfers: Remove duplicate policy check

    There is an initial policy check in the transfers accept API[1]
    which validates correctly if the user is authorized to perform
    the operation or not. However, we've a duplicate check in the volume
    API layer which passes a target object (volume) while authorizing
    which is wrong for this API. While authorizing, we enforce check on
    the project id of the target object i.e. volume in this case which,
    before the transfer operation is completed, contains the project id
    of source project hence making the validation wrong.
    In the case of transfers API, any project is able to accept the transfer
    given they've the auth key required to secure the transfer accept
    So this patch removes the duplicate policy check.

    [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225

    Closes-Bug: #1950474
    Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be
    (cherry picked from commit 7ba9935a6e1e8a572391563927acb086fdbe5e5c)
    (cherry picked from commit 46415541a790869d9f5a5a5cc821852730b98149)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/cinder/+/827242

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cinder (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/cinder/+/827242
Committed: https://opendev.org/openstack/cinder/commit/4115ca21f2c4b33e7aa33a80b41c5546ea92d563
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 4115ca21f2c4b33e7aa33a80b41c5546ea92d563
Author: Rajat Dhasmana <email address hidden>
Date: Tue Jan 11 04:56:51 2022 -0500

    Volume transfers: Remove duplicate policy check

    There is an initial policy check in the transfers accept API[1]
    which validates correctly if the user is authorized to perform
    the operation or not. However, we've a duplicate check in the volume
    API layer which passes a target object (volume) while authorizing
    which is wrong for this API. While authorizing, we enforce check on
    the project id of the target object i.e. volume in this case which,
    before the transfer operation is completed, contains the project id
    of source project hence making the validation wrong.
    In the case of transfers API, any project is able to accept the transfer
    given they've the auth key required to secure the transfer accept
    So this patch removes the duplicate policy check.

    [1] https://opendev.org/openstack/cinder/src/branch/master/cinder/transfer/api.py#L225

    Closes-Bug: #1950474
    Change-Id: I3930bff90df835d9d8bbf7e6e91458db7e5654be
    (cherry picked from commit 7ba9935a6e1e8a572391563927acb086fdbe5e5c)
    (cherry picked from commit 46415541a790869d9f5a5a5cc821852730b98149)
    (cherry picked from commit b86da5d4073d9c50aed90c4d6ae6884138be6b06)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 19.1.0

This issue was fixed in the openstack/cinder 19.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 18.2.0

This issue was fixed in the openstack/cinder 18.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 17.3.0

This issue was fixed in the openstack/cinder 17.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/cinder 20.0.0.0rc1

This issue was fixed in the openstack/cinder 20.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.