Merge "Reject unsafe delete attachment calls"HEADmaster

2 files changed, 70 insertions, 0 deletions

diff --git a/api-ref/source/v3/attachments.inc b/api-ref/source/v3/attachments.inc
index 87b57d609..cb3784865 100644
--- a/api-ref/source/v3/attachments.inc
+++ b/api-ref/source/v3/attachments.inc
@@ -41,6 +41,20 @@ Delete attachment
 
 Deletes an attachment.
 
+For security reasons (see bug `#2004555
+<https://bugs.launchpad.net/nova/+bug/2004555>`_) the Block Storage API rejects
+REST API calls manually made from users with a 409 status code if there is a
+Nova instance currently using the attachment, which happens when all the
+following conditions are met:
+
+- Attachment has an instance uuid
+- VM exists in Nova
+- Instance has the volume attached
+- Attached volume in instance is using the attachment
+
+Calls coming from other OpenStack services (like the Compute Service) are
+always accepted.
+
 Available starting in the 3.27 microversion.
 
 Response codes
@@ -54,6 +68,7 @@ Response codes
 
    - 400
    - 404
+   - 409
 
 
 Request
diff --git a/api-ref/source/v3/volumes-v3-volumes-actions.inc b/api-ref/source/v3/volumes-v3-volumes-actions.inc
index 808dcda8d..bb79e309b 100644
--- a/api-ref/source/v3/volumes-v3-volumes-actions.inc
+++ b/api-ref/source/v3/volumes-v3-volumes-actions.inc
@@ -337,6 +337,21 @@ Preconditions
 
 - Volume status must be ``in-use``.
 
+For security reasons (see bug `#2004555
+<https://bugs.launchpad.net/nova/+bug/2004555>`_), regardless of the policy
+defaults,  the Block Storage API rejects REST API calls manually made from
+users with a 409 status code if completing the request could pose a risk, which
+happens if all of these happen:
+
+- The request comes from a user
+- There's an instance uuid in provided attachment or in the volume's attachment
+- VM exists in Nova
+- Instance has the volume attached
+- Attached volume in instance is using the attachment
+
+Calls coming from other OpenStack services (like the Compute Service) are
+always accepted.
+
 Response codes
 --------------
 
@@ -344,6 +359,9 @@ Response codes
 
    - 202
 
+.. rest_status_code:: error ../status.yaml
+
+   - 409
 
 Request
 -------
@@ -415,6 +433,21 @@ perform this operation. Cloud providers can change these permissions
 through the ``volume_extension:volume_admin_actions:force_detach`` rule in
 the policy configuration file.
 
+For security reasons (see bug `#2004555
+<https://bugs.launchpad.net/nova/+bug/2004555>`_), regardless of the policy
+defaults,  the Block Storage API rejects REST API calls manually made from
+users with a 409 status code if completing the request could pose a risk, which
+happens if all of these happen:
+
+- The request comes from a user
+- There's an instance uuid in provided attachment or in the volume's attachment
+- VM exists in Nova
+- Instance has the volume attached
+- Attached volume in instance is using the attachment
+
+Calls coming from other OpenStack services (like the Compute Service) are
+always accepted.
+
 Response codes
 --------------
 
@@ -422,6 +455,9 @@ Response codes
 
    - 202
 
+.. rest_status_code:: error ../status.yaml
+
+   - 409
 
 Request
 -------
@@ -883,6 +919,22 @@ Preconditions
 
 - Volume status must be ``in-use``.
 
+For security reasons (see bug `#2004555
+<https://bugs.launchpad.net/nova/+bug/2004555>`_), regardless of the policy
+defaults,  the Block Storage API rejects REST API calls manually made from
+users with a 409 status code if completing the request could pose a risk, which
+happens if all of these happen:
+
+- The request comes from a user
+- There's an instance uuid in the volume's attachment
+- VM exists in Nova
+- Instance has the volume attached
+- Attached volume in instance is using the attachment
+
+Calls coming from other OpenStack services (like the Compute Service) are
+always accepted.
+
+
 Response codes
 --------------
 
@@ -890,6 +942,9 @@ Response codes
 
    - 202
 
+.. rest_status_code:: error ../status.yaml
+
+   - 409
 
 Request
 -------