craton

Cyclical hierarchies using parent_id

Bug #1666536 reported by git-harry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
craton
Fix Released
Critical
git-harry
craton v0.1.0 "cmdb"

Bug Description

Currently it is possible to set a device parent_id to its own ID or to that of a child. This prevents any further queries being made against the database.

For example:

# http GET :8080/v1/hosts/2 'X-Auth-Token:demo' 'X-Auth-User:demo' 'X-Auth-Project:b9f10eca66ac4c279c139d01e65f96b4'
HTTP/1.0 200 OK
Content-Length: 618
Content-Type: application/json
Date: Tue, 21 Feb 2017 14:22:29 GMT
Server: WSGIServer/0.2 CPython/3.5.2
x-openstack-request-id: req-b90671ba-eaf6-40d1-92ea-f4f0b69741de

{
    "active": true,
    "cell_id": 1,
    "created_at": "2017-02-21T14:07:11.000000",
    "device_type": "server",
    "id": 2,
    "ip_address": "192.168.1.5",
    "links": [
        {
            "href": "http://localhost:8080/v1/cells/1",
            "rel": "up"
        }
    ],
    "name": "host0.ORD135.C0001.C-1.example1.com",
    "note": null,
    "parent_id": null,
    "project_id": "b9f10eca-66ac-4c27-9c13-9d01e65f96b4",
    "region_id": 1,
    "updated_at": null,
    "variables": {
        "cell_capabilities": "flavor_classes=performance2",
        "console_host": "10.10.1.100",
        "glance_default_store": "swift",
        "neutron_l2_population": true,
        "nova_console_type": "novnc",
        "tempest_public_subnet_cidr": "192.168.1.0/22"
    }
}

# http PUT :8080/v1/hosts/2 'X-Auth-Token:demo' 'X-Auth-User:demo' 'X-Auth-Project:b9f10eca66ac4c279c139d01e65f96b4' parent_id:=2
HTTP/1.0 200 OK
Content-Length: 399
Content-Type: application/json
Date: Tue, 21 Feb 2017 14:23:35 GMT
Server: WSGIServer/0.2 CPython/3.5.2
x-openstack-request-id: req-70cd753b-db17-4623-b506-7e26005ca92e

{
    "active": true,
    "cell_id": 1,
    "created_at": "2017-02-21T14:07:11.000000",
    "device_type": "server",
    "id": 2,
    "ip_address": "192.168.1.5",
    "links": [
        {
            "href": "http://localhost:8080/v1/hosts/2",
            "rel": "up"
        }
    ],
    "name": "host0.ORD135.C0001.C-1.example1.com",
    "note": null,
    "parent_id": 2,
    "project_id": "b9f10eca-66ac-4c27-9c13-9d01e65f96b4",
    "region_id": 1,
    "updated_at": "2017-02-21T14:23:35.276224"
}

# http GET :8080/v1/cells/3 'X-Auth-Token:demo' 'X-Auth-User:demo' 'X-Auth-Project:b9f10eca66ac4c279c139d01e65f96b4'

http: error: Request timed out (30s).

Revision history for this message
Jim Baker (jimbaker) wrote :

Prevent by checking parent_id against the ancestors for a device; https://github.com/openstack/craton/blob/master/craton/db/sqlalchemy/models.py#L352

Should be a straightforward fix.

Changed in craton:
importance: Undecided → Critical
assignee: nobody → Jim Baker (jimbaker)
Jim Baker (jimbaker)
Changed in craton:
assignee: Jim Baker (jimbaker) → nobody
milestone: none → v0.1.0
Jim Baker (jimbaker)
Changed in craton:
status: New → Confirmed
git-harry (git-harry)
Changed in craton:
assignee: nobody → git-harry (git-harry)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to craton (master)

Fix proposed to branch: master
Review: https://review.openstack.org/443566

Changed in craton:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to craton (master)

Reviewed: https://review.openstack.org/443566
Committed: https://git.openstack.org/cgit/openstack/craton/commit/?id=a690e1997c7794b0d7991805c7d54b65ddd33681
Submitter: Jenkins
Branch: master

commit a690e1997c7794b0d7991805c7d54b65ddd33681
Author: git-harry <email address hidden>
Date: Thu Mar 9 10:45:43 2017 +0000

    Validate parent_id is neither id nor a descendant

    A device's parent_id represents the id of another device. A parent_id
    cannot be a device's own id nor can it be the id of a descendant.

    This commit adds a validator decorator to ensure that the parent_id
    supplied meets the requirements before the database is updated. Failure
    to properly validate the parent_id can cause the database to become
    unresponsive.

    If an invalid parent_id is supplied the API will return a 400 Bad
    Request.

    Change-Id: I81f6bff5bf64b7c441fef08a8e03731cc17bb2f1
    Closes-bug: 1666536

Changed in craton:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.