Reset state robustification

Co-authored-by: Eric Harney <eharney@redhat.com>

Change-Id: I7a32f05499406d5911e60d219ffb254b24b7d929

specs/wallaby/reset-state-robustification.rst

@@ -0,0 +1,158 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+===========================
+Reset State Robustification
+===========================
+
+https://blueprints.launchpad.net/cinder/+spec/reset-state-robustification
+
+Problem description
+===================
+
+I have seen a number of users get volumes into "invalid" states by
+not understanding how resetting the state of a volume interacts
+with resetting the state of attachments.
+
+For example, on a volume with an attachment, run
+"cinder reset-state --state available <vol>"
+
+What now?
+
+Use Cases
+=========
+
+Help prevent users who aren't Cinder experts from shooting themselves
+in the foot with reset-state.
+
+Proposed change
+===============
+
+If a user requests to reset the state of a volume to something that
+Cinder knows is not a valid state of the universe, reject the request
+with a reason.
+
+If volume1 has an attachment active.
+$ cinder reset-state --state available volume1
+ERROR: Cannot reset-state to available because attachments still exist.
+
+$ cinder reset-state --state available volume1 --attach-status detached
+(command succeeds)
+
+Cases to block:
+   1. volume reset to available w/ attachments
+   2. snapshot reset to in-use with volume in available
+
+
+Sometimes a knowledgeable operator may need to reset the state anyway
+and then manually make the current state valid. cinder-manage is the
+place where forcing a change will be allowed instead of '--force'
+flag in the API.
+
+Alternatives
+------------
+
+- Hope users don't do these things.
+- Handle the "reset to available while attached case" by forcefully
+  detaching the volumes instead of rejecting the request.
+
+Data model impact
+-----------------
+
+None
+
+REST API impact
+---------------
+
+os-reset-status actions on volumes, snaps, backups, groups,
+will now return a 400 in some cases where they would previously
+succeeded.  This does not require a microversion bump.
+
+Security impact
+---------------
+
+None
+
+Active/Active HA impact
+-----------------------
+
+These checks in reset-state could concievably race against updates in
+a cluster.  Will determine what that means when we get further into
+implementation.
+
+
+Notifications impact
+--------------------
+
+None
+
+Other end user impact
+---------------------
+
+None
+
+Performance Impact
+------------------
+
+None
+
+Other deployer impact
+---------------------
+
+Improves safety for deployers trying to clean up from issues in
+their cloud.
+
+Developer impact
+----------------
+
+None
+
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  TusharTgite
+
+Other contributors:
+  eharney
+
+Work Items
+----------
+
+* Implement a check for the
+  reset-state to available while attached case
+* Add code to cinder-manage to handle the case
+  where an operator needs to override the API
+  and reset the state anyway.
+* Research other sensible cases we could prevent for
+  volumes, snaps, groups, etc.
+* Tempest test for a couple of the big cases
+
+
+Dependencies
+============
+
+None
+
+Testing
+=======
+
+* New tempest tests
+
+
+Documentation Impact
+====================
+
+* Should document common cases where this fails.
+
+References
+==========
+
+* Original proposal: https://review.opendev.org/c/openstack/cinder-specs/+/682456