[openstack-dev] [glance][api] Response when a illegal body is sent

Clint Byrum clint at fewbar.com
Fri Jul 24 18:16:11 UTC 2015


Excerpts from Ian Cordasco's message of 2015-07-24 08:58:06 -0700:
> 
> On 7/23/15, 19:38, "michael mccune" <msm at redhat.com> wrote:
> 
> >On 07/23/2015 12:43 PM, Ryan Brown wrote:
> >> On 07/23/2015 12:13 PM, Jay Pipes wrote:
> >>> On 07/23/2015 10:53 AM, Bunting, Niall wrote:
> >>>> Hi,
> >>>>
> >>>> Currently when a body is passed to an API operation that explicitly
> >>>> does not allow bodies Glance throws a 500.
> >>>>
> >>>> Such as in this bug report:
> >>>> https://bugs.launchpad.net/glance/+bug/1475647 This is an example of
> >>>> a GET however this also applies to other requests.
> >>>>
> >>>> What should Glance do rather than throwing a 500, should it return a
> >>>> 400 as the user provided an illegal body
> >>>
> >>> Yep, this.
> >>
> >> +1, this should be a 400. It would also be acceptable (though less
> >> preferable) to ignore any body on GET requests and execute the request
> >> as normal.
> >>
> >>> Best,
> >>> -jay
> >
> >i'm also +1 on the 400 band wagon
> 
> 400 feels right for when Glance is operating without anything in front of
> it. However, let me present a hypothetical situation:
> 
> Company X is operating Glance behind a load-balancing proxy. Most users
> talk to Glance behind the LB. If someone writes a quick script to send a
> GET and (for whatever reason) includes a body, they'll get a 200 with the
> data that would otherwise have been sent if they didn't include a body.
> This is because most such proxies will strip the body on a GET (even
> though RFC 7231 allows for bodies on a GET and explicitly refuses to
> define semantic meaning for them). If later that script is updated to work
> behind the load balancer it will be broken, because Glance is choosing to
> error instead of ignoring it.
> 
> Note: I'm not arguing that the user is correct in sending a body when
> there shouldn't be one sent, just that we're going to confuse a lot of
> people with this.
> 
> I'm also fine with either a 400 or a 200.
> 

Nice succinct description of an interesting corner case.

This is indeed one of those scenarios that should be defended against
at the edges, but it's worth considering what will make things simplest
for users.

If we believe in Postel's robustness principle[1], then Glance would
probably just drop the body as something we liberally accept because
it doesn't harm anything to do so. If we don't believe thats a good
principle, then 400 or maybe 413 would be the right codes I think.

So the real question is, do we follow Postel's principle or not? That
might even be something to add to OpenStack's design principles... which
I seem to remember at one time we had written down somewhere.

[1] https://en.wikipedia.org/wiki/Robustness_principle



More information about the OpenStack-dev mailing list