Ironic

API accepts MAC instead of UUID for ports

Bug #1246816 reported by aeva black
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Fix Released
Medium
Lucas Alvares Gomes
Ironic 2014.1 "icehouse"

Bug Description

The API currently accepts a MAC address in the URI query string for ports, when it should only accept the port UUID. Example:

  GET /v1/ports/52:54:00:38:fb:5d/

This works because of the ironic.db.sqlalchemy.add_port_filter() method, which will auto-detect whether the input is uuid-like or mac-like, and adjust the query automatically. While this simplifies the internal db api, it is inappropriate to expose in the API.

This is particular unsuitable because the MAC address may change.

aeva black (tenbrae)
Changed in ironic:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Haomeng,Wang (whaom) wrote :

I think We should accept uuid-like as input for port GET API, and reject the mac-like input.

Changed in ironic:
assignee: nobody → Haomeng,Wang (whaom)
Revision history for this message
Haomeng,Wang (whaom) wrote :

@Devananda, correct me If I am wrong understanding.

Changed in ironic:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ironic (master)

Fix proposed to branch: master
Review: https://review.openstack.org/55231

Revision history for this message
Craig Tracey (craigtracey) wrote :

I think that limiting this to the GET HTTP verb is not suitable. While the example provided by Devananda uses GET, this resource identifier should be changed for all operations.

Revision history for this message
Haomeng,Wang (whaom) wrote :

Craig, agree with you, I have committed new patch to cover GET/PATCH/DELETE actions which uses the address as input, thank you.

Revision history for this message
Sergey Skripnick (eyerediskin) wrote :

Method Port.get_port_by_uuid can get port by mac address? This is madness.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/64534

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/64837

Changed in ironic:
assignee: Haomeng,Wang (whaom) → Lucas Alvares Gomes (lucasagomes)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ironic (master)

Reviewed: https://review.openstack.org/64837
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=5cf9aaa3ca3eb1e0b8f8a865907dae87be0986b1
Submitter: Jenkins
Branch: master

commit 5cf9aaa3ca3eb1e0b8f8a865907dae87be0986b1
Author: Lucas Alvares Gomes <email address hidden>
Date: Thu Jan 2 20:12:21 2014 +0000

    API to validate UUID parameters

    The patch uses the UuidType in the wsexpose decorator to make WSME
    validate whether UUIDs parameters are UUID-like strings. By doing that,
    it solves the problem of allowing ports to be accessed by its address,
    which is an inconsistence in our API.

    As our UuidType now differs from the UuidType of WSME the patch also
    removes the note to remove our custom type on the next WSME release.

    Change-Id: I023e8f31d94555577c4573b4a5cf0d649d33b4fa
    Closes-Bug: #1246816

Changed in ironic:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in ironic:
milestone: none → icehouse-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in ironic:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.