Bal√°zs Gibizer balazs.gibizer at est.tech
Wed Nov 27 08:26:42 UTC 2019

On Tue, Nov 26, 2019 at 19:08, Surya Seetharaman 
<surya.seetharaman9 at gmail.com> wrote:
> Hello everyone,
> We came across this bug [1] in nova recently and wanted to know what 
> people think is the best (relatively) way to fix this.
> In the past, the project id validation was added as a best effort to 
> prevent users from being able to enter random values into the 
> database. When this validation is used from the os flavor set/unset 
> admin apis [2], there are chances that keystone returns a 403 which 
> gets silently ignored by nova [3] allowing the user to enter the 
> provided project_id/name without validation or warning or remove an 
> existing flavor-project mapping. There were a couple of options 
> discussed on IRC [4] to fix this behaviour out of which the 
> practically reasonable ones are:
> 1) close the bug as invalid - tweak your config (we could add docs, 
> idk if that would be found or help) to do what you need to avoid the 
> 403 from keystone
> 2) change the 403 case as an error and raise it back to the compute 
> api caller - maybe enough time has passed to not worry about backward 
> compat with the old non-validating behavior
> Option 2 seems better than option 1 for most of us, however what we 
> cannot agree upon is if this change should be accompanied by a 
> microversion bump or not.

My 2 cents: Make the problem explicit by raising the error back to the 
caller (which is the admin by default), enhance our docs to help the 
admin to fix the nova service user's permissions to avoid the 403.


> [1] https://bugs.launchpad.net/nova/+bug/1854053
> [2] 
> https://github.com/openstack/nova/blob/fd67f69cfdaf04620f2e8a5f1fbf5737096965d8/nova/api/openstack/compute/flavor_access.py#L64
> [3] 
> https://github.com/openstack/nova/blob/d621914442855ce67ce0b99003f7e69e8ee515e6/nova/api/openstack/identity.py#L61
> [4] 
> http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2019-11-26.log.html#t2019-11-26T16:20:24
> Cheers,
> Surya.

More information about the openstack-discuss mailing list