Hello everyone,

We came across this bug [1] in nova recently and wanted to know what people think is the best (relatively) way to fix this.

In the past, the project id validation was added as a best effort to prevent users from being able to enter random values into the database. When this validation is used from the os flavor set/unset admin apis [2], there are chances that keystone returns a 403 which gets silently ignored by nova [3] allowing the user to enter the provided project_id/name without validation or warning or remove an existing flavor-project mapping. There were a couple of options discussed on IRC [4] to fix this behaviour out of which the practically reasonable ones are:

1) close the bug as invalid - tweak your config (we could add docs, idk if that would be found or help) to do what you need to avoid the 403 from keystone
2) change the 403 case as an error and raise it back to the compute api caller - maybe enough time has passed to not worry about backward compat with the old non-validating behavior

Option 2 seems better than option 1 for most of us, however what we cannot agree upon is if this change should be accompanied by a microversion bump or not.

[1] https://bugs.launchpad.net/nova/+bug/1854053
[2] https://github.com/openstack/nova/blob/fd67f69cfdaf04620f2e8a5f1fbf5737096965d8/nova/api/openstack/compute/flavor_access.py#L64
[3] https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61
[4] http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-11-26.log.html#t2019-11-26T16:20:24

Cheers,
Surya.