[openstack-dev] [nova] whitelist/blacklist for Nova V3 extensions
Sean Dague
sean at dague.net
Fri May 31 12:10:29 UTC 2013
On 05/31/2013 03:25 AM, Christopher Yeoh wrote:
> Hi,
>
> I've proposed a patch which adds the ability to whitelist which
> extensions are loaded for the V3 API (anything which is not in the
> whitelist is not loaded) and to blacklist extensions (anything in the
> blacklist is not loaded).
>
> https://review.openstack.org/#/c/29487
> <https://review.openstack.org/#/c/29487/6>
>
> There is also a check to see if something is in both the blacklist and
> the whitelist as this may be an indication of a misconfiguration and
> currently the code just does a LOG warn. The question is whether it
> should instead raise an exception which will effectively abort the
> nova-api process.
>
> Do people think there are any circumstances where someone would
> intentionally want to both blacklist and whitelist an extension?
> Presumably if it happened it would only be a temporary thing anyway as
> they could otherwise just remove it from the whitelist.
Every time I've seen whitelist / blacklist implemented, blacklist trumps
whitelist. Because configuration can come from multiple places (config
file, args), I think it's entirely possible that whitelist and blacklist
could both have values, and be set from different locations in such a
way that the admin flipping the blacklist on didn't no the extensions
was specified in a whitelist elsewhere.
So I think throwing a warning is good, but it should default to
blacklisted behavior if it's in both lists.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list