[openstack-dev] [Heat]Updated summit etherpad: API-retry-with-idempotency

Zane Bitter zbitter at redhat.com
Fri Nov 15 11:46:44 UTC 2013

On 13/11/13 23:35, Chris Friesen wrote:
> On 11/13/2013 04:19 PM, Zane Bitter wrote:
>> Of course the idempotency token *should* be just the name, but since
>> most projects have inexplicably chosen not to enforce unique names (in
>> tenant scope), we're in the odd position of requiring 3 ways to look up
>> any resource (by name, UUID, and idempotency token). That's bonkers, but
>> what can you do?
> Why would the idempotency token not be the UUID?  Presumably that should
> be unique.

Yes, but you don't know the UUID until you know it, and by then it's too 
late (the resource has been created). So the idempotency token has to be 
something passed in by the user.

You could allow the user to supply the UUID (you would obviously check 
it for uniqueness). There is however, many possible ways in which that 
could go horribly wrong (e.g. if you sharded based on UUID, an attacker 
might be able to exploit that to overload one of your machines; the 
uniqueness check leaks information from other tenants, &c.)


More information about the OpenStack-dev mailing list