OpenStack Identity (keystone)

region creation API should not allow empty id

Bug #1322639 reported by Kévin Bernard-Allies
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Kévin Bernard-Allies
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Actually, Keystone accepts to create a region with an empty ID in the request body, and creates a unreachable region, with no possibility to use, modify or delete them.

> curl -X POST -H "X-Auth-Token: *TOKEN*" -H 'Content-type: application/json' http://localhost:35357/v3/regions/ -d '{"region":{"id":""}}'
{"region": {"parent_region_id": null, "id": "", "links": {"self": "http://localhost:35357/v3/regions/"}, "description": ""}}

Instead, It should return a 400 Bad Request error.

Kévin Bernard-Allies (kbernard-allies)
Changed in keystone:
assignee: nobody → Kévin Bernard-Allies (kbernard-allies)
Dolph Mathews (dolph)
Changed in keystone:
importance: Undecided → Medium
tags: added: icehouse-backport-potential
Changed in keystone:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/95212

Changed in keystone:
status: Triaged → In Progress
Revision history for this message
Lance Bragstad (lbragstad) wrote :

We should be able to address this with something like:

https://review.openstack.org/#/c/96266/22/keystone/catalog/schema.py

See line 27

         # specified in the request, Keystone will assign a uuid as the 'id'
         # for the region.
         'id': {
- 'type': 'string'
+ 'type': 'string',
+ 'pattern': '[a-z0-9-]+'
         },

Where we won't allow empty strings as a region id on region creation. If an id is provided in the request, it must match some regular expression that protects against this.

Revision history for this message
Dolph Mathews (dolph) wrote :

Lance: ++

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/95212
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f9b5eb6e7b9a1bc9cabb5a82d7e7095b15d1585e
Submitter: Jenkins
Branch: master

commit f9b5eb6e7b9a1bc9cabb5a82d7e7095b15d1585e
Author: Kévin Bernard-Allies <email address hidden>
Date: Fri May 23 17:07:11 2014 +0200

    Check that region ID is not an empty string

    It generates an ID when a POST request to /regions has an empty string as ID

    Change-Id: I49afd1f8c2e09ed31329bd8d1d88ca7f29ef7be9
    Closes-Bug: 1322639

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → juno-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.