neutron

When use incorrect filter for os port list neutron returns the list of all ports

Bug #2059902 reported by Valentina Pytlik on 2024-04-01

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

I have several ports in my openstack account
I want to get list ports with specific option and specify filter.
here is an example:
curl -X GET "https://.../v2.0/ports?network_id=123" -H "Accept: application/json"

However, when I specify incorrect filter to API it returns all available ports.
example below:
curl-X GET "https://.../v2.0/ports?network_iddd=123" -H "Accept: application/json"

It looks dangerous, because I could make a mistake in filter on set or delete commands and as result this changes be applied to all available ports.

I suppose, that correct behaviour should be: return nothing or fail with an error. what do you think about it?

Tags:

Revision history for this message

Brian Haley (brian-haley) wrote on 2024-04-01:

So the neutron API has been behaving this way forever - if the filter key given is not in the object definition it is ignored - see neutron_lib/db/model_query.py:apply_filters() for reference.

Any change to this behavior would have to be opt-in to not break backwards compatibility, so via an extension that is not enabled by default. This is just a thought.

What do other services do? For example, Nova?

Revision history for this message

Dr. Jens Harbott (j-harbott) wrote on 2024-04-02:

IIUC the "filter-validation" extension is what was implemented to handle this, see https://opendev.org/openstack/neutron-lib/src/branch/master/api-ref/source/v2/intro.inc#L168-L172 . It seems that it isn't enabled by default though, so deployments have to opt-in to activate it

Revision history for this message

Valentina Pytlik (vanellopka) wrote on 2024-04-02:

Unfortunately, I don't know about behavior in other services.
I am interesting for the neutron case only.

I will try to use filter_validation extension and come back with results later.

Revision history for this message

Brian Haley (brian-haley) wrote on 2024-04-02:

I guess I had forgotten about this extension, thanks for the reminder Jens.

https://review.opendev.org/c/openstack/neutron/+/574907 (merged in Rocky)

Valentina - check if the extension is loaded:

$ openstack extension list --network | grep filter-validation

If not, make sure it's enabled in neutron.conf (default is True)

filter_validation=True

And make sure it's enabled in ml2_conf.ini (default is not, although I didn't have to enable it):

extension_drivers=...,filter-validation,...

If you update that and restart neutron-server, the above extension check should list it.

Miro Tomaska (mtomaska) on 2024-04-08

tags:	added: api-ref
tags:	added: api removed: api-ref

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.