[nova][api] Behaviour of project_id validation
surya.seetharaman9 at gmail.com
Wed Nov 27 08:45:50 UTC 2019
Apologies, like Matt pointed out I sort of forgot to add the title in my
On Tue, Nov 26, 2019 at 7:08 PM Surya Seetharaman <
surya.seetharaman9 at gmail.com> wrote:
> Hello everyone,
> We came across this bug  in nova recently and wanted to know what
> people think is the best (relatively) way to fix this.
> In the past, the project id validation was added as a best effort to
> prevent users from being able to enter random values into the database.
> When this validation is used from the os flavor set/unset admin apis ,
> there are chances that keystone returns a 403 which gets silently ignored
> by nova  allowing the user to enter the provided project_id/name without
> validation or warning or remove an existing flavor-project mapping. There
> were a couple of options discussed on IRC  to fix this behaviour out of
> which the practically reasonable ones are:
> 1) close the bug as invalid - tweak your config (we could add docs, idk if
> that would be found or help) to do what you need to avoid the 403 from
> 2) change the 403 case as an error and raise it back to the compute api
> caller - maybe enough time has passed to not worry about backward compat
> with the old non-validating behavior
> Option 2 seems better than option 1 for most of us, however what we cannot
> agree upon is if this change should be accompanied by a microversion bump
> or not.
>  https://bugs.launchpad.net/nova/+bug/1854053
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss