Public bug reported: python-cinderclient ships a class cinderclient.v1.volumes.Volume which has an 'attach' method, documented rather vaguely as "Set attachment metadata.".
This method should not be called directly by API users when attempting to attach a Cinder volume to a Nova instance, else the Nova and Cinder databases will become inconsistent, as detailed at: http://www.florentflament.com/blog/openstack-volume-in-use-although-vm- doesnt-exist.html As far as I can tell, this API exists solely for use by consumers of Cinder services such as Nova, so they can inform Cinder that they're now using one of Cinder's volumes. If this is true, then: 1. The documentation should state this; and 2. If all consumers of Cinder volumes already have an admin token (as Nova does), then this API should require such an admin token, to prevent cloud end-users from calling it. Steps to reproduce: See http://www.florentflament.com/blog/openstack-volume-in-use-although- vm-doesnt-exist.html Expected results: Nova and Cinder shall agree on whether or not a given volume is in use. Unprivileged end users shall not be able to call APIs that aren't intended for their use. Documentation shall contain useful information. It shall not be possible for unprivileged end users to create inconsistent database data that require privilege to clean up. Actual results: Nova thinks the volume is not in use, but Cinder thinks it is, so the OpenStack deployment as a whole is confused about the state of the volume. Unprivileged users can call an API that appears to only be intended for Nova's use. Documentation doesn't communicate anything. An unprivileged user can create inconsistent database data that require either OpenStack admin creds and 'cinder reset-state' or manual database changes to restore consistency. Environment: Liberty/KVM/Ceph/customised Neutron ** Affects: python-cinderclient Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1611613 Title: python-cinderclient documentation unclear on Volume.attach Status in python-cinderclient: New Bug description: python-cinderclient ships a class cinderclient.v1.volumes.Volume which has an 'attach' method, documented rather vaguely as "Set attachment metadata.". This method should not be called directly by API users when attempting to attach a Cinder volume to a Nova instance, else the Nova and Cinder databases will become inconsistent, as detailed at: http://www.florentflament.com/blog/openstack-volume-in-use-although- vm-doesnt-exist.html As far as I can tell, this API exists solely for use by consumers of Cinder services such as Nova, so they can inform Cinder that they're now using one of Cinder's volumes. If this is true, then: 1. The documentation should state this; and 2. If all consumers of Cinder volumes already have an admin token (as Nova does), then this API should require such an admin token, to prevent cloud end-users from calling it. Steps to reproduce: See http://www.florentflament.com/blog/openstack-volume-in-use- although-vm-doesnt-exist.html Expected results: Nova and Cinder shall agree on whether or not a given volume is in use. Unprivileged end users shall not be able to call APIs that aren't intended for their use. Documentation shall contain useful information. It shall not be possible for unprivileged end users to create inconsistent database data that require privilege to clean up. Actual results: Nova thinks the volume is not in use, but Cinder thinks it is, so the OpenStack deployment as a whole is confused about the state of the volume. Unprivileged users can call an API that appears to only be intended for Nova's use. Documentation doesn't communicate anything. An unprivileged user can create inconsistent database data that require either OpenStack admin creds and 'cinder reset-state' or manual database changes to restore consistency. Environment: Liberty/KVM/Ceph/customised Neutron To manage notifications about this bug go to: https://bugs.launchpad.net/python-cinderclient/+bug/1611613/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
