Comment 13 for bug 2019892

Reviewed: https://review.opendev.org/c/openstack/ironic/+/883580
Committed: https://opendev.org/openstack/ironic/commit/cb38746f71f5dfa346371bf06985bbbb2208af6e
Submitter: "Zuul (22348)"
Branch: stable/xena

commit cb38746f71f5dfa346371bf06985bbbb2208af6e
Author: Julia Kreger <email address hidden>
Date: Thu May 11 11:09:28 2023 -0700

    Fix Cinder Integration fallout from CVE-2023-2088

    In the recent change to cinder, to address CVE-2023-2088,
    cinder changed the policy rules and behavior for unbinding,
    or "detaching" a volume. This was because of a vulnerability
    in compute nodes where a volume which was in use by a VM
    could be detached outside of Nova, and nova wouldn't become
    aware the volume was detached, and the volume could be accessible
    to the next VM.

    This vulnerability doesn't apply to bare metal operations as
    volumes are attached to whole baremetal nodes with Ironic.

    We now generate and use a service token when interacting with
    Cinder which allows cinder to recognize "this request is
    coming from a fellow OpenStack service", and by-pass
    checking with Nova if the "instance" is managed by Nova,
    or Not. This allows the volumes to be attached, and detached
    as needed as part of the power operation flow and overall
    set of lifecycle operations.

    Note: This change is modified from the original upstream chnage
    becuse that change leverages the ability for a project_id value
    to no longer be required in the cinder URL for interactions with
    cinder, which was a requirement removed in Yoga.

    Related-Bug: 2004555
    Closes-Bug: 2019892

    Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
    (cherry picked from commit 9c0b4c90a19fc1db262a942a1b6a1baafc881ccc)