[nova][api] Behaviour of project_id validation

Surya Seetharaman surya.seetharaman9 at gmail.com
Wed Nov 27 08:45:50 UTC 2019 

Apologies, like Matt pointed out I sort of forgot to add the title in my
original email.

On Tue, Nov 26, 2019 at 7:08 PM Surya Seetharaman <
surya.seetharaman9 at gmail.com> wrote:

> Hello everyone,
>
> We came across this bug [1] in nova recently and wanted to know what
> people think is the best (relatively) way to fix this.
>
> In the past, the project id validation was added as a best effort to
> prevent users from being able to enter random values into the database.
> When this validation is used from the os flavor set/unset admin apis [2],
> there are chances that keystone returns a 403 which gets silently ignored
> by nova [3] allowing the user to enter the provided project_id/name without
> validation or warning or remove an existing flavor-project mapping. There
> were a couple of options discussed on IRC [4] to fix this behaviour out of
> which the practically reasonable ones are:
>
> 1) close the bug as invalid - tweak your config (we could add docs, idk if
> that would be found or help) to do what you need to avoid the 403 from
> keystone
> 2) change the 403 case as an error and raise it back to the compute api
> caller - maybe enough time has passed to not worry about backward compat
> with the old non-validating behavior
>
> Option 2 seems better than option 1 for most of us, however what we cannot
> agree upon is if this change should be accompanied by a microversion bump
> or not.
>
> [1] https://bugs.launchpad.net/nova/+bug/1854053
> [2]
> https://github.com/openstack/nova/blob/fd67f69cfdaf04620f2e8a5f1fbf5737096965d8/nova/api/openstack/compute/flavor_access.py#L64
> [3]
> https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61
> [4]
> http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-11-26.log.html#t2019-11-26T16:20:24
>
> Cheers,
> Surya.
>


-- 

Regards,
Surya.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191127/b90e4ecf/attachment.html>

More information about the openstack-discuss mailing list