[openstack-dev] [cinder] adding a new /v3 endpoint for api-microversions

Sean McGinnis sean.mcginnis at gmx.com
Fri Feb 19 16:41:57 UTC 2016


On Fri, Feb 19, 2016 at 11:28:09AM -0500, Sean Dague wrote:
> On 02/19/2016 11:20 AM, Sean McGinnis wrote:
> > On Fri, Feb 19, 2016 at 10:57:38AM -0500, Sean Dague wrote:
> >> The concern as I understand it is that by extending the v2 API with
> >> microversions the following failure scenario exists
> >>
> >> If:
> >>
> >> 1) a client already is using the /v2 API
> >> 2) a client opt's into using microversions on /v2
> >> 3) that client issues a request on a Cinder API v2 endpoint without
> >> microversion support
> >> 4) that client fails check if micoversions are supported by a GET of /v2
> >> or by checking the return of the OpenStack-API-Version return header
> >> 5) that client issues a request against a resource on /v2 with
> >> parameters that would create a radically different situation that would
> >> be hard to figure out later.
> >>
> >> And, only if all these things happen is there a concern.
> > 
> > I think it's actually even simpler than that. And possibly therefore
> > more likely to actually happen in the wild.
> > 
> > 1) a client already is using microversions
> 
> But, there are no such clients today. And there is no library that does
> this yet. It will be 4 - 6 months (or even more likely 12+) until that's
> in the ecosystem. Which is why adding the header validation to existing
> v2 API, and backporting to liberty / kilo, will provide really
> substantial coverage for the concern the bswartz is bringing forward.

Yeah, I have to agree with that. We can certainly have the protection
out in time.

The only concern there is the admin who set up his Kilo initial release
cloud and doesn't want to touch it for updates. But they likely have
more pressing issues than this any way.

> 
> 	-Sean
> 
> -- 
> Sean Dague
> http://dague.net
> 
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list