[openstack-dev] [glance][api] Response when a illegal body is sent

Ian Cordasco ian.cordasco at RACKSPACE.COM
Fri Jul 24 18:22:33 UTC 2015



On 7/24/15, 13:16, "Clint Byrum" <clint at fewbar.com> wrote:

>Excerpts from Ian Cordasco's message of 2015-07-24 08:58:06 -0700:
>> 
>> On 7/23/15, 19:38, "michael mccune" <msm at redhat.com> wrote:
>> 
>> >On 07/23/2015 12:43 PM, Ryan Brown wrote:
>> >> On 07/23/2015 12:13 PM, Jay Pipes wrote:
>> >>> On 07/23/2015 10:53 AM, Bunting, Niall wrote:
>> >>>> Hi,
>> >>>>
>> >>>> Currently when a body is passed to an API operation that explicitly
>> >>>> does not allow bodies Glance throws a 500.
>> >>>>
>> >>>> Such as in this bug report:
>> >>>> https://bugs.launchpad.net/glance/+bug/1475647 This is an example
>>of
>> >>>> a GET however this also applies to other requests.
>> >>>>
>> >>>> What should Glance do rather than throwing a 500, should it return
>>a
>> >>>> 400 as the user provided an illegal body
>> >>>
>> >>> Yep, this.
>> >>
>> >> +1, this should be a 400. It would also be acceptable (though less
>> >> preferable) to ignore any body on GET requests and execute the
>>request
>> >> as normal.
>> >>
>> >>> Best,
>> >>> -jay
>> >
>> >i'm also +1 on the 400 band wagon
>> 
>> 400 feels right for when Glance is operating without anything in front
>>of
>> it. However, let me present a hypothetical situation:
>> 
>> Company X is operating Glance behind a load-balancing proxy. Most users
>> talk to Glance behind the LB. If someone writes a quick script to send a
>> GET and (for whatever reason) includes a body, they'll get a 200 with
>>the
>> data that would otherwise have been sent if they didn't include a body.
>> This is because most such proxies will strip the body on a GET (even
>> though RFC 7231 allows for bodies on a GET and explicitly refuses to
>> define semantic meaning for them). If later that script is updated to
>>work
>> behind the load balancer it will be broken, because Glance is choosing
>>to
>> error instead of ignoring it.
>> 
>> Note: I'm not arguing that the user is correct in sending a body when
>> there shouldn't be one sent, just that we're going to confuse a lot of
>> people with this.
>> 
>> I'm also fine with either a 400 or a 200.
>> 
>
>Nice succinct description of an interesting corner case.
>
>This is indeed one of those scenarios that should be defended against
>at the edges, but it's worth considering what will make things simplest
>for users.
>
>If we believe in Postel's robustness principle[1], then Glance would
>probably just drop the body as something we liberally accept because
>it doesn't harm anything to do so. If we don't believe thats a good
>principle, then 400 or maybe 413 would be the right codes I think.
>
>So the real question is, do we follow Postel's principle or not? That
>might even be something to add to OpenStack's design principles... which
>I seem to remember at one time we had written down somewhere.
>
>[1] https://en.wikipedia.org/wiki/Robustness_principle

Just to throw a monkey-wrench in,
https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00



More information about the OpenStack-dev mailing list