[nova][api]

Surya Seetharaman surya.seetharaman9 at gmail.com
Tue Nov 26 18:08:15 UTC 2019


Hello everyone,

We came across this bug [1] in nova recently and wanted to know what people
think is the best (relatively) way to fix this.

In the past, the project id validation was added as a best effort to
prevent users from being able to enter random values into the database.
When this validation is used from the os flavor set/unset admin apis [2],
there are chances that keystone returns a 403 which gets silently ignored
by nova [3] allowing the user to enter the provided project_id/name without
validation or warning or remove an existing flavor-project mapping. There
were a couple of options discussed on IRC [4] to fix this behaviour out of
which the practically reasonable ones are:

1) close the bug as invalid - tweak your config (we could add docs, idk if
that would be found or help) to do what you need to avoid the 403 from
keystone
2) change the 403 case as an error and raise it back to the compute api
caller - maybe enough time has passed to not worry about backward compat
with the old non-validating behavior

Option 2 seems better than option 1 for most of us, however what we cannot
agree upon is if this change should be accompanied by a microversion bump
or not.

[1] https://bugs.launchpad.net/nova/+bug/1854053
[2]
https://github.com/openstack/nova/blob/fd67f69cfdaf04620f2e8a5f1fbf5737096965d8/nova/api/openstack/compute/flavor_access.py#L64
[3]
https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61
[4]
http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-11-26.log.html#t2019-11-26T16:20:24

Cheers,
Surya.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191126/f9ec095c/attachment.html>


More information about the openstack-discuss mailing list