Checking whether group has role assignment on domain without specifying a role ID result in HTTP 200

Wouldn't that make the request list the roles for that group in that domain?

/v3/domains/{domain_id}/groups/{group_id}/roles
https://developer.openstack.org/api-ref/identity/v3/index.html?expanded=list-role-assignments-for-group-on-domain-detail#list-role-assignments-for-group-on-domain

Notice the difference between a HEAD and GET request. HEAD is for checking assignment while GET is for listing assignments. In this case, its a HEAD request.

https://github.com/openstack/keystone/blob/master/keystone/assignment/routers.py#L190

Is registering the prior api call I linked to for both GET and HEAD. The same is done for project/domains and user/group roles.

The impact that sticks out to me is that people maintaining their own clients might be calling HEAD list_grants [0] instead of HEAD check_grant [1] without them knowing it if they don't validate the role id properly when building the url.

I'd like to run this by someone from the API WG to see if we'd be able to do anything about it. I don't think we'd be able to correct the behavior at this point.

Regardless, we should document this thoroughly so that folks writing their own clients against the API know the importance of validating the role_id and the impact it has between the two APIs.

[0] https://github.com/openstack/keystone/blob/a103486efeefca821ac722cbad6fc31b2e3f133b/keystone/assignment/routers.py#L190
[1] https://github.com/openstack/keystone/blob/a103486efeefca821ac722cbad6fc31b2e3f133b/keystone/assignment/routers.py#L169

Lance, I think this is really an API issue. API is a contract. If client sends invalid request, it is the server's responsibility to response with the appropriate error code and message so client can take corrective actions.

I agree that the server should provide information for corrective actions, but part of the problem is that both APIs are very similar. If a client expects to call check_grant but doesn't ensure the role id is actually a part of the URL, how is keystone suppose to know the difference? To keystone, it doesn't see the request as invalid, because it's a different API call.

Keystone should also return the same response for GET as we do for HEAD requests [0]. So, while using HEAD to list_grants doesn't really make much sense, I'm not sure how we can fix it without breaking backwards compatibility.

[0] https://tools.ietf.org/html/rfc7231#section-4.3.2

I think we either need to revise the API contract or fix the code.

https://github.com/openstack/keystone/blob/master/api-ref/source/v3/roles.inc#L407

I guessing we just need to change this to head_action instead of get_head_action?

https://github.com/openstack/keystone/blob/a103486efeefca821ac722cbad6fc31b2e3f133b/keystone/assignment/routers.py#L169

I'm curious why we would want to break up the GET and HEAD actions of check_grant. To me that seems to be working fine. Despite breaking the routes up and carrying different logic in HEAD versus GET, apache might not honor that [0]. So even if we did change it, apache still might route the requests to GET and just truncate the body (depending on how keystone is being run).

[0] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2017-03-02.log.html#t2017-03-02T21:05:34

The problem here is that keystone supports GET and HEAD on /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} and /v3/domains/{domain_id}/groups/{group_id}/roles/. We don't know if the client wanted to make a /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} request versus a /v3/domains/{domain_id}/groups/{group_id}/roles/ request.

This isn't a bug. IF the {role_id} at the end of the call is not passed, we use the list action of:

/v3/domains/{domain_id}/groups/{group_id}/roles/ (regardless of head or get action)

If a role_id is passed, you're calling a different API. This is not a great design, but this is working as intended.