OpenStack Compute (nova)

Versioned discovery endpoint should not require authentication

Bug #1845530 reported by Eric Fried on 2019-09-26

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Medium	Eric Fried

Bug Description

stack@nucle:/opt/stack/cyborg$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
<snip>
| 9d483c8a6162422282514191683751cb | RegionOne | nova | compute | True | public | http://192.168.218.28/compute/v2.1 |
<snip>
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
stack@nucle:/opt/stack/cyborg$ curl http://192.168.218.28/compute/v2.1
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Discovery endpoints should not require authentication.

(I'm still looking for the doc that contains this edict; but ask mordred or anyone on the api-sig.)

Tags:

Revision history for this message

Michael McCune (mimccune) wrote on 2019-09-26:

> (I'm still looking for the doc that contains this edict; but ask mordred or anyone on the api-sig.)

this document has not been published but has been discussed for quite awhile now. you can see the review here:

https://review.opendev.org/#/c/459710/17/guidelines/discoverability.rst

see line 93

we (the api-sig), are working to get these backlogged guidelines published but this point about un-authenticated access to the version discovery is not in dispute.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26: Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/685180

Changed in nova:
assignee:	nobody → Eric Fried (efried)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/685181

OpenStack Infra (hudson-openstack) on 2020-04-03

Changed in nova:
assignee:	Eric Fried (efried) → melanie witt (melwitt)

melanie witt (melwitt) on 2020-04-03

Changed in nova:
assignee:	melanie witt (melwitt) → Eric Fried (efried)
tags:	added: api
Changed in nova:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-07: Related fix merged to nova (master)

Reviewed: https://review.opendev.org/685180
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=49a9f4564487409ae8a4ea5aed39677e234afc01
Submitter: Zuul
Branch: master

commit 49a9f4564487409ae8a4ea5aed39677e234afc01
Author: Eric Fried <email address hidden>
Date: Thu Sep 26 15:10:26 2019 -0500

Repro bug 1845530: versioned discovery is authed

    This recreates the referenced bug, demonstrating that requests for
    versioned discovery endpoints (/v2, /v2.1) are being piped through
    authentication.

Change-Id: Iaef1229f542e4e824c6c5c73335bc601bed08c04
Related-Bug: #1845530

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-04-08: Fix merged to nova (master)

Reviewed: https://review.opendev.org/685181
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1e907602e37fb55bbe5a20164db6d074f87369af
Submitter: Zuul
Branch: master

commit 1e907602e37fb55bbe5a20164db6d074f87369af
Author: Eric Fried <email address hidden>
Date: Thu Sep 26 16:52:12 2019 -0500

Allow versioned discovery unauthenticated

    Make routes to the versioned discovery documents (/v2, /v2.1) go through
    paste pipelines that don't require authentication, while leaving their
    sub-URLs (/v2.1/servers etc) requiring authentication.

    To make this work, our URLMap matcher gets support for a very
    rudimentary wildcard syntax, whereby api-paste.ini can differentiate
    between {/v2.1, /v2.1/} and /v2.1/$anything_else. The former points to
    the unauthenticated discovery app pipeline; the latter points to the
    existing "real API" pipeline. Similar for legacy v2.

This entails a slight behavior change: requests to /v2 and /v2.1 used to
302 redirect to /v2/ and /v2.1/, respectively. Now they just work.

    Change-Id: Id47515017982850b167d5c637d93b96ae00ba793
    Closes-Bug: #1845530
    Closes-Bug: #1728732

Changed in nova:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1862477

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.