Fix Cinder Integration fallout from CVE-2023-2088
In the recent change to cinder, to address CVE-2023-2088, cinder changed the policy rules and behavior for unbinding, or "detaching" a volume. This was because of a vulnerability in compute nodes where a volume which was in use by a VM could be detached outside of Nova, and nova wouldn't become aware the volume was detached, and the volume could be accessible to the next VM. This vulnerability doesn't apply to bare metal operations as volumes are attached to whole baremetal nodes with Ironic. We now generate and use a service token when interacting with Cinder which allows cinder to recognize "this request is coming from a fellow OpenStack service", and by-pass checking with Nova if the "instance" is managed by Nova, or Not. This allows the volumes to be attached, and detached as needed as part of the power operation flow and overall set of lifecycle operations. Related-Bug: 2004555 Closes-Bug: 2019892 Change-Id: Ib258bc9650496da989fc93b759b112d279c8b217
This commit is contained in:
parent
912dcbbdc9
commit
9c0b4c90a1
@ -1625,7 +1625,7 @@ EOF
|
|||||||
function configure_ironic_api {
|
function configure_ironic_api {
|
||||||
iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY
|
iniset $IRONIC_CONF_FILE DEFAULT auth_strategy $IRONIC_AUTH_STRATEGY
|
||||||
configure_keystone_authtoken_middleware $IRONIC_CONF_FILE ironic
|
configure_keystone_authtoken_middleware $IRONIC_CONF_FILE ironic
|
||||||
|
iniset $IRONIC_CONF_FILE keystone_authtoken service_token_roles_required True
|
||||||
if [[ "$IRONIC_USE_WSGI" == "True" ]]; then
|
if [[ "$IRONIC_USE_WSGI" == "True" ]]; then
|
||||||
iniset $IRONIC_CONF_FILE oslo_middleware enable_proxy_headers_parsing True
|
iniset $IRONIC_CONF_FILE oslo_middleware enable_proxy_headers_parsing True
|
||||||
elif is_service_enabled tls-proxy; then
|
elif is_service_enabled tls-proxy; then
|
||||||
|
@ -19,6 +19,7 @@ from cinderclient import exceptions as cinder_exceptions
|
|||||||
from cinderclient.v3 import client
|
from cinderclient.v3 import client
|
||||||
from oslo_log import log
|
from oslo_log import log
|
||||||
|
|
||||||
|
from ironic.common import context as ironic_context
|
||||||
from ironic.common import exception
|
from ironic.common import exception
|
||||||
from ironic.common.i18n import _
|
from ironic.common.i18n import _
|
||||||
from ironic.common import keystone
|
from ironic.common import keystone
|
||||||
@ -39,30 +40,67 @@ def _get_cinder_session():
|
|||||||
return _CINDER_SESSION
|
return _CINDER_SESSION
|
||||||
|
|
||||||
|
|
||||||
def get_client(context):
|
def get_client(context, auth_from_config=False):
|
||||||
"""Get a cinder client connection.
|
"""Get a cinder client connection.
|
||||||
|
|
||||||
:param context: request context,
|
:param context: request context,
|
||||||
instance of ironic.common.context.RequestContext
|
instance of ironic.common.context.RequestContext
|
||||||
|
:param auth_from_config: (boolean) When True, use auth values from
|
||||||
|
conf parameters
|
||||||
:returns: A cinder client.
|
:returns: A cinder client.
|
||||||
"""
|
"""
|
||||||
service_auth = keystone.get_auth('cinder')
|
service_auth = keystone.get_auth('cinder')
|
||||||
session = _get_cinder_session()
|
session = _get_cinder_session()
|
||||||
|
# Used the service cached session to get the endpoint
|
||||||
# TODO(pas-ha) use versioned endpoint data to select required
|
# because getting an endpoint requires auth!
|
||||||
# cinder api version
|
endpoint = keystone.get_endpoint('cinder', session=session,
|
||||||
cinder_url = keystone.get_endpoint('cinder', session=session,
|
|
||||||
auth=service_auth)
|
auth=service_auth)
|
||||||
# TODO(pas-ha) investigate possibility of passing a user context here,
|
project_id = None
|
||||||
# similar to what neutron/glance-related code does
|
if hasattr(service_auth, 'get_project_id'):
|
||||||
|
# Being moderately defensive so we don't have to mock this in
|
||||||
|
# every cinder unit test.
|
||||||
|
project_id = service_auth.get_project_id(session)
|
||||||
|
if project_id and project_id in str(endpoint):
|
||||||
|
# We've found the project ID in the endpoint URL due to the
|
||||||
|
# endpoint configuration, however this is not required in
|
||||||
|
# more modern versions of cinder, and if you attempt to access
|
||||||
|
# a resource with a project ID in the URL, and with a service
|
||||||
|
# token, the request gets a Bad Request response.
|
||||||
|
# This works starting at Cinder microversion 3.67 - Yoga.
|
||||||
|
endpoint = endpoint.replace("/%s" % project_id, "")
|
||||||
|
|
||||||
|
if not context:
|
||||||
|
context = ironic_context.RequestContext(auth_token=None)
|
||||||
|
|
||||||
|
user_auth = None
|
||||||
|
if CONF.cinder.auth_type != 'none' and context.auth_token:
|
||||||
|
user_auth = keystone.get_service_auth(
|
||||||
|
context, endpoint, service_auth,
|
||||||
|
only_service_auth=auth_from_config)
|
||||||
|
|
||||||
|
if auth_from_config:
|
||||||
|
# If we are here, then we've been requested to *only* use our supplied
|
||||||
|
sess = keystone.get_session('cinder', timeout=CONF.cinder.timeout,
|
||||||
|
auth=service_auth)
|
||||||
|
else:
|
||||||
|
sess = keystone.get_session('cinder', timeout=CONF.cinder.timeout,
|
||||||
|
auth=user_auth or service_auth)
|
||||||
|
|
||||||
|
# Re-determine the endpoint so we can work with versions prior to
|
||||||
|
# Yoga, becuase the endpoint, based upon configuration, may require
|
||||||
|
# project_id specific URLs.
|
||||||
|
if user_auth:
|
||||||
|
endpoint = keystone.get_endpoint('cinder', session=sess,
|
||||||
|
auth=user_auth)
|
||||||
|
|
||||||
# NOTE(pas-ha) cinderclient has both 'connect_retries' (passed to
|
# NOTE(pas-ha) cinderclient has both 'connect_retries' (passed to
|
||||||
# ksa.Adapter) and 'retries' (used in its subclass of ksa.Adapter) options.
|
# ksa.Adapter) and 'retries' (used in its subclass of ksa.Adapter) options.
|
||||||
# The first governs retries on establishing the HTTP connection,
|
# The first governs retries on establishing the HTTP connection,
|
||||||
# the second governs retries on OverLimit exceptions from API.
|
# the second governs retries on OverLimit exceptions from API.
|
||||||
# The description of [cinder]/retries fits the first,
|
# The description of [cinder]/retries fits the first,
|
||||||
# so this is what we pass.
|
# so this is what we pass.
|
||||||
return client.Client(session=session, auth=service_auth,
|
return client.Client(session=sess, auth=user_auth,
|
||||||
endpoint_override=cinder_url,
|
endpoint_override=endpoint,
|
||||||
connect_retries=CONF.cinder.retries,
|
connect_retries=CONF.cinder.retries,
|
||||||
global_request_id=context.global_id)
|
global_request_id=context.global_id)
|
||||||
|
|
||||||
@ -134,17 +172,21 @@ def _create_metadata_dictionary(node, action):
|
|||||||
return {label: json.dumps(data)}
|
return {label: json.dumps(data)}
|
||||||
|
|
||||||
|
|
||||||
def _init_client(task):
|
def _init_client(task, auth_from_config=False):
|
||||||
"""Obtain cinder client and return it for use.
|
"""Obtain cinder client and return it for use.
|
||||||
|
|
||||||
:param task: TaskManager instance representing the operation.
|
:param task: TaskManager instance representing the operation.
|
||||||
|
:param auth_from_config: If we should source our authentication parameters
|
||||||
|
from the configured service as opposed to request
|
||||||
|
context.
|
||||||
|
|
||||||
:returns: A cinder client.
|
:returns: A cinder client.
|
||||||
:raises: StorageError If an exception is encountered creating the client.
|
:raises: StorageError If an exception is encountered creating the client.
|
||||||
"""
|
"""
|
||||||
node = task.node
|
node = task.node
|
||||||
try:
|
try:
|
||||||
return get_client(task.context)
|
return get_client(task.context,
|
||||||
|
auth_from_config=auth_from_config)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
msg = (_('Failed to initialize cinder client for operations on node '
|
msg = (_('Failed to initialize cinder client for operations on node '
|
||||||
'%(uuid)s: %(err)s') % {'uuid': node.uuid, 'err': e})
|
'%(uuid)s: %(err)s') % {'uuid': node.uuid, 'err': e})
|
||||||
@ -238,8 +280,9 @@ def attach_volumes(task, volume_list, connector):
|
|||||||
}]
|
}]
|
||||||
"""
|
"""
|
||||||
node = task.node
|
node = task.node
|
||||||
|
LOG.debug('Initializing volume attach for node %(node)s.',
|
||||||
|
{'node': node.uuid})
|
||||||
client = _init_client(task)
|
client = _init_client(task)
|
||||||
|
|
||||||
connected = []
|
connected = []
|
||||||
for volume_id in volume_list:
|
for volume_id in volume_list:
|
||||||
try:
|
try:
|
||||||
@ -367,8 +410,10 @@ def detach_volumes(task, volume_list, connector, allow_errors=False):
|
|||||||
LOG.error(msg)
|
LOG.error(msg)
|
||||||
raise exception.StorageError(msg)
|
raise exception.StorageError(msg)
|
||||||
|
|
||||||
client = _init_client(task)
|
client = _init_client(task, auth_from_config=False)
|
||||||
node = task.node
|
node = task.node
|
||||||
|
LOG.debug('Initializing volume detach for node %(node)s.',
|
||||||
|
{'node': node.uuid})
|
||||||
|
|
||||||
for volume_id in volume_list:
|
for volume_id in volume_list:
|
||||||
try:
|
try:
|
||||||
|
@ -125,7 +125,8 @@ def get_endpoint(group, **adapter_kwargs):
|
|||||||
return result
|
return result
|
||||||
|
|
||||||
|
|
||||||
def get_service_auth(context, endpoint, service_auth):
|
def get_service_auth(context, endpoint, service_auth,
|
||||||
|
only_service_auth=False):
|
||||||
"""Create auth plugin wrapping both user and service auth.
|
"""Create auth plugin wrapping both user and service auth.
|
||||||
|
|
||||||
When properly configured and using auth_token middleware,
|
When properly configured and using auth_token middleware,
|
||||||
@ -134,8 +135,25 @@ def get_service_auth(context, endpoint, service_auth):
|
|||||||
|
|
||||||
Ideally we would use the plugin provided by auth_token middleware
|
Ideally we would use the plugin provided by auth_token middleware
|
||||||
however this plugin isn't serialized yet.
|
however this plugin isn't serialized yet.
|
||||||
|
|
||||||
|
:param context: The RequestContext instance from which the user
|
||||||
|
auth_token is extracted.
|
||||||
|
:param endpoint: The requested endpoint to be utilized.
|
||||||
|
:param service_auth: The service authenticaiton credentals to be
|
||||||
|
used.
|
||||||
|
:param only_service_auth: Boolean, default False. When set to True,
|
||||||
|
the resulting Service token pair is generated
|
||||||
|
as if it originates from the user itself.
|
||||||
|
Useful to cast admin level operations which are
|
||||||
|
launched by Ironic itself, as opposed to user
|
||||||
|
initiated requests.
|
||||||
|
:returns: Returns a service token via the ServiceTokenAuthWrapper
|
||||||
|
class.
|
||||||
"""
|
"""
|
||||||
# TODO(pas-ha) use auth plugin from context when it is available
|
user_auth = None
|
||||||
|
if not only_service_auth:
|
||||||
user_auth = token_endpoint.Token(endpoint, context.auth_token)
|
user_auth = token_endpoint.Token(endpoint, context.auth_token)
|
||||||
|
else:
|
||||||
|
user_auth = service_auth
|
||||||
return service_token.ServiceTokenAuthWrapper(user_auth=user_auth,
|
return service_token.ServiceTokenAuthWrapper(user_auth=user_auth,
|
||||||
service_auth=service_auth)
|
service_auth=service_auth)
|
||||||
|
@ -58,8 +58,7 @@ class TestCinderSession(base.TestCase):
|
|||||||
@mock.patch('ironic.common.keystone.get_adapter', autospec=True)
|
@mock.patch('ironic.common.keystone.get_adapter', autospec=True)
|
||||||
@mock.patch('ironic.common.keystone.get_service_auth', autospec=True,
|
@mock.patch('ironic.common.keystone.get_service_auth', autospec=True,
|
||||||
return_value=mock.sentinel.sauth)
|
return_value=mock.sentinel.sauth)
|
||||||
@mock.patch('ironic.common.keystone.get_auth', autospec=True,
|
@mock.patch('ironic.common.keystone.get_auth', autospec=True)
|
||||||
return_value=mock.sentinel.auth)
|
|
||||||
@mock.patch('ironic.common.keystone.get_session', autospec=True,
|
@mock.patch('ironic.common.keystone.get_session', autospec=True,
|
||||||
return_value=mock.sentinel.session)
|
return_value=mock.sentinel.session)
|
||||||
@mock.patch.object(cinderclient.Client, '__init__', autospec=True,
|
@mock.patch.object(cinderclient.Client, '__init__', autospec=True,
|
||||||
@ -74,8 +73,11 @@ class TestCinderClient(base.TestCase):
|
|||||||
cinder._CINDER_SESSION = None
|
cinder._CINDER_SESSION = None
|
||||||
self.context = context.RequestContext(global_request_id='global')
|
self.context = context.RequestContext(global_request_id='global')
|
||||||
|
|
||||||
def _assert_client_call(self, init_mock, url, auth=mock.sentinel.auth):
|
def _assert_client_call(self, init_mock, url, auth=mock.sentinel.auth,
|
||||||
cinder.get_client(self.context)
|
auth_from_config=None):
|
||||||
|
if not auth_from_config:
|
||||||
|
self.context.auth_token = 'meow'
|
||||||
|
cinder.get_client(self.context, auth_from_config=auth_from_config)
|
||||||
init_mock.assert_called_once_with(
|
init_mock.assert_called_once_with(
|
||||||
mock.ANY,
|
mock.ANY,
|
||||||
session=mock.sentinel.session,
|
session=mock.sentinel.session,
|
||||||
@ -86,15 +88,45 @@ class TestCinderClient(base.TestCase):
|
|||||||
|
|
||||||
def test_get_client(self, mock_client_init, mock_session, mock_auth,
|
def test_get_client(self, mock_client_init, mock_session, mock_auth,
|
||||||
mock_sauth, mock_adapter):
|
mock_sauth, mock_adapter):
|
||||||
|
mock_auth.return_value = mock_auth_obj = mock.Mock()
|
||||||
|
mock_auth_obj.get_project_id.return_value = '1111'
|
||||||
mock_adapter.return_value = mock_adapter_obj = mock.Mock()
|
mock_adapter.return_value = mock_adapter_obj = mock.Mock()
|
||||||
mock_adapter_obj.get_endpoint.return_value = 'cinder_url'
|
mock_adapter_obj.get_endpoint.side_effect = iter([
|
||||||
self._assert_client_call(mock_client_init, 'cinder_url')
|
'cinder_url/1111',
|
||||||
mock_session.assert_called_once_with('cinder')
|
'cinder_url'])
|
||||||
|
self._assert_client_call(mock_client_init, 'cinder_url',
|
||||||
|
auth=mock.sentinel.sauth)
|
||||||
|
mock_session.assert_has_calls([
|
||||||
|
mock.call('cinder'),
|
||||||
|
mock.call('cinder', timeout=1, auth=mock.sentinel.sauth)])
|
||||||
mock_auth.assert_called_once_with('cinder')
|
mock_auth.assert_called_once_with('cinder')
|
||||||
mock_adapter.assert_called_once_with('cinder',
|
mock_adapter.assert_has_calls([
|
||||||
session=mock.sentinel.session,
|
mock.call('cinder', session=mock.sentinel.session,
|
||||||
auth=mock.sentinel.auth)
|
auth=mock_auth_obj),
|
||||||
|
|
||||||
|
mock.call('cinder', session=mock.sentinel.session,
|
||||||
|
auth=mock.sentinel.sauth)])
|
||||||
|
self.assertTrue(mock_sauth.called)
|
||||||
|
|
||||||
|
def test_get_client_service_token(self, mock_client_init, mock_session,
|
||||||
|
mock_auth, mock_sauth, mock_adapter):
|
||||||
|
mock_auth.return_value = mock_auth_obj = mock.Mock()
|
||||||
|
mock_auth_obj.get_project_id.return_value = '1111'
|
||||||
|
mock_adapter.return_value = mock_adapter_obj = mock.Mock()
|
||||||
|
mock_adapter_obj.get_endpoint.side_effect = iter([
|
||||||
|
'cinder_url/1111',
|
||||||
|
'cinder_url'])
|
||||||
|
self._assert_client_call(
|
||||||
|
mock_client_init,
|
||||||
|
'cinder_url',
|
||||||
|
auth=None,
|
||||||
|
auth_from_config=True)
|
||||||
|
mock_session.assert_has_calls([
|
||||||
|
mock.call('cinder'),
|
||||||
|
mock.call('cinder', timeout=1, auth=mock_auth_obj)])
|
||||||
|
mock_auth.assert_called_once_with('cinder')
|
||||||
|
mock_adapter.assert_called_once_with(
|
||||||
|
'cinder', session=mock.sentinel.session, auth=mock_auth_obj)
|
||||||
self.assertFalse(mock_sauth.called)
|
self.assertFalse(mock_sauth.called)
|
||||||
|
|
||||||
|
|
||||||
|
16
releasenotes/notes/cinder-2019892-6b5a9de5c5f05aa6.yaml
Normal file
16
releasenotes/notes/cinder-2019892-6b5a9de5c5f05aa6.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Fixes Ironic integration with Cinder because of changes which resulted as
|
||||||
|
part of the recent Security related fix in
|
||||||
|
`bug 2004555 <https://launchpad.net/bugs/2004555>`_. The work in Ironic
|
||||||
|
to track this fix was logged in
|
||||||
|
`bug 2019892 <https://bugs.launchpad.net/ironic/+bug/2019892>`_.
|
||||||
|
Ironic now sends a service token to Cinder, which allows for access
|
||||||
|
restrictions added as part of the original CVE-2023-2088
|
||||||
|
fix to be appropriately bypassed. Ironic was not vulnerable,
|
||||||
|
but the restrictions added as a result did impact Ironic's usage.
|
||||||
|
This is because Ironic volume attachments are not on a shared
|
||||||
|
"compute node", but instead mapped to the physical machines
|
||||||
|
and Ironic handles the attachment life-cycle after initial
|
||||||
|
attachment.
|
@ -32,13 +32,7 @@
|
|||||||
- ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode:
|
- ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode:
|
||||||
voting: false
|
voting: false
|
||||||
- ironic-tempest-bios-ipmi-direct-tinyipa
|
- ironic-tempest-bios-ipmi-direct-tinyipa
|
||||||
# Currently broken, fallout from OSSA-2023-003 which was a breaking
|
- ironic-tempest-bfv
|
||||||
# change. Ironic needs to ensure we use a service token, not the
|
|
||||||
# admin token credentials, and we then may need to revise our tempest
|
|
||||||
# plugin once we have that sorted.
|
|
||||||
# bugs.launchpad.net/ironic/+bug/2019892
|
|
||||||
- ironic-tempest-bfv:
|
|
||||||
voting: false
|
|
||||||
- ironic-tempest-ipa-partition-uefi-pxe-grub2
|
- ironic-tempest-ipa-partition-uefi-pxe-grub2
|
||||||
- metalsmith-integration-glance-centos8-legacy
|
- metalsmith-integration-glance-centos8-legacy
|
||||||
# Non-voting jobs
|
# Non-voting jobs
|
||||||
@ -86,10 +80,7 @@
|
|||||||
# seeming to be
|
# seeming to be
|
||||||
# - ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode
|
# - ironic-tempest-ipa-wholedisk-direct-tinyipa-multinode
|
||||||
- ironic-tempest-bios-ipmi-direct-tinyipa
|
- ironic-tempest-bios-ipmi-direct-tinyipa
|
||||||
# NOTE(TheJulia): Disabled as of 20230516 until we can get the
|
- ironic-tempest-bfv
|
||||||
# Cinder boot from volume integration sorted.
|
|
||||||
# https://bugs.launchpad.net/ironic/+bug/2019892
|
|
||||||
# - ironic-tempest-bfv
|
|
||||||
- ironic-tempest-ipa-partition-uefi-pxe-grub2
|
- ironic-tempest-ipa-partition-uefi-pxe-grub2
|
||||||
- metalsmith-integration-glance-centos8-legacy
|
- metalsmith-integration-glance-centos8-legacy
|
||||||
experimental:
|
experimental:
|
||||||
|
Loading…
Reference in New Issue
Block a user