yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #54873
[Bug 1611613] [NEW] python-cinderclient documentation unclear on Volume.attach
Public bug reported:
python-cinderclient ships a class cinderclient.v1.volumes.Volume which
has an 'attach' method, documented rather vaguely as "Set attachment
metadata.".
This method should not be called directly by API users when attempting
to attach a Cinder volume to a Nova instance, else the Nova and Cinder
databases will become inconsistent, as detailed at:
http://www.florentflament.com/blog/openstack-volume-in-use-although-vm-
doesnt-exist.html
As far as I can tell, this API exists solely for use by consumers of
Cinder services such as Nova, so they can inform Cinder that they're now
using one of Cinder's volumes.
If this is true, then:
1. The documentation should state this; and
2. If all consumers of Cinder volumes already have an admin token (as Nova does), then this API should require such an admin token, to prevent cloud end-users from calling it.
Steps to reproduce:
See http://www.florentflament.com/blog/openstack-volume-in-use-although-
vm-doesnt-exist.html
Expected results:
Nova and Cinder shall agree on whether or not a given volume is in use.
Unprivileged end users shall not be able to call APIs that aren't intended for their use.
Documentation shall contain useful information.
It shall not be possible for unprivileged end users to create inconsistent database data that require privilege to clean up.
Actual results:
Nova thinks the volume is not in use, but Cinder thinks it is, so the OpenStack deployment as a whole is confused about the state of the volume.
Unprivileged users can call an API that appears to only be intended for Nova's use.
Documentation doesn't communicate anything.
An unprivileged user can create inconsistent database data that require either OpenStack admin creds and 'cinder reset-state' or manual database changes to restore consistency.
Environment:
Liberty/KVM/Ceph/customised Neutron
** Affects: python-cinderclient
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1611613
Title:
python-cinderclient documentation unclear on Volume.attach
Status in python-cinderclient:
New
Bug description:
python-cinderclient ships a class cinderclient.v1.volumes.Volume which
has an 'attach' method, documented rather vaguely as "Set attachment
metadata.".
This method should not be called directly by API users when attempting
to attach a Cinder volume to a Nova instance, else the Nova and Cinder
databases will become inconsistent, as detailed at:
http://www.florentflament.com/blog/openstack-volume-in-use-although-
vm-doesnt-exist.html
As far as I can tell, this API exists solely for use by consumers of
Cinder services such as Nova, so they can inform Cinder that they're
now using one of Cinder's volumes.
If this is true, then:
1. The documentation should state this; and
2. If all consumers of Cinder volumes already have an admin token (as Nova does), then this API should require such an admin token, to prevent cloud end-users from calling it.
Steps to reproduce:
See http://www.florentflament.com/blog/openstack-volume-in-use-
although-vm-doesnt-exist.html
Expected results:
Nova and Cinder shall agree on whether or not a given volume is in use.
Unprivileged end users shall not be able to call APIs that aren't intended for their use.
Documentation shall contain useful information.
It shall not be possible for unprivileged end users to create inconsistent database data that require privilege to clean up.
Actual results:
Nova thinks the volume is not in use, but Cinder thinks it is, so the OpenStack deployment as a whole is confused about the state of the volume.
Unprivileged users can call an API that appears to only be intended for Nova's use.
Documentation doesn't communicate anything.
An unprivileged user can create inconsistent database data that require either OpenStack admin creds and 'cinder reset-state' or manual database changes to restore consistency.
Environment:
Liberty/KVM/Ceph/customised Neutron
To manage notifications about this bug go to:
https://bugs.launchpad.net/python-cinderclient/+bug/1611613/+subscriptions
Follow ups