Cinder

Volume create schema validation not allowing extra params prior to enforcing microversion

Bug #1786054 reported by Sean McGinnis on 2018-08-08

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	High	Sean McGinnis

Bug Description

Microversion 3.53 added schema validation to the volume create call to enforce that extra parameters would not be allowed. Reports that horizon is seeing this enforcement happening prior to the microversion that enables this enforcement.

http://lists.openstack.org/pipermail/openstack-dev/2018-August/132977.html

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-08: Fix proposed to cinder (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/589935

Changed in cinder:
assignee:	nobody → Sean McGinnis (sean-mcginnis)
status:	New → In Progress

Revision history for this message

Sean McGinnis (sean-mcginnis) wrote on 2018-08-08:

#2

This doesn't appear to be valid. The unit tests being added in 589935 should have been able to reproduce the issue, but they pass with no other modifications.

Since that didn't work, I tried reproducing this against a running system using curl. With no version specified (defaulting to the base 3.0 microversion) creation succeeded:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Accept: "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}'

I then tried specifying the microversion that introduces the strict schema checking to make sure I was able to get the appropriate failure, which worked as expected:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Accept: "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New-mv353", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}' -H "OpenStack-API-Version: volume 3.53"
HTTP/1.1 400 Bad Request
...

And to test boundary conditions, I then specified the microversion just prior to the one that enabled strict checking:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Ac "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New-mv352", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}' -H "OpenStack-API-Version: volume 3.52"
HTTP/1.1 202 Accepted

In all cases except the strict checking one, the volume was created successfully even though the junk extra parameters ("project_id": "testing", "junk": "garbage") were provided.

This doesn't appear to be valid. The unit tests being added in 589935 should have been able to reproduce the issue, but they pass with no other modifications.

Since that didn't work, I tried reproducing this against a running system using curl. With no version specified (defaulting to the base 3.0 microversion) creation succeeded:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Accept: "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}'

I then tried specifying the microversion that introduces the strict schema checking to make sure I was able to get the appropriate failure, which worked as expected:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Accept: "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New-mv353", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}' -H "OpenStack-API-Version: volume 3.53"
HTTP/1.1 400 Bad Request
...

And to test boundary conditions, I then specified the microversion just prior to the one that enabled strict checking:

curl -g -i -X POST http://192.168.1.234/volume/v3/95ae21ce92a34b3c92601f3304ea0a46/volumes -H "Ac "Content-Type: application/json" -H "User-Agent: python-cinderclient" -H "X-Auth-Token: $OS_TOKEN" -d '{"volume": {"backup_id": null, "description": null, "multiattach": false, "source_volid": null, "consistencygroup_id": null, "snapshot_id": null, "size": 1, "name": "New-mv352", "imageRef": null, "availability_zone": null, "volume_type": null, "metadata": {}, "project_id": "testing", "junk": "garbage"}}' -H "OpenStack-API-Version: volume 3.52"
HTTP/1.1 202 Accepted

In all cases except the strict checking one, the volume was created successfully even though the junk extra parameters ("project_id": "testing", "junk": "garbage") were provided.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-08:

#3

Fix proposed to branch: master
Review: https://review.openstack.org/590014

Jay Bryant (jsbryant) on 2018-08-08

Changed in cinder:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-09: Fix merged to cinder (master)

#4

Reviewed: https://review.openstack.org/590014
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=f41751cb04dc934c79ef7090aad23b807a7d9bbc
Submitter: Zuul
Branch: master

commit f41751cb04dc934c79ef7090aad23b807a7d9bbc
Author: Sean McGinnis <email address hidden>
Date: Wed Aug 8 14:34:22 2018 -0500

Allow extra parameters in volume_type_encryption

    Change I6488cc89e60a31605ddf80c7aa56ddf4871d3c1a added schema validation
    for volume type encryption, but it locked things down in a non-backwards
    compatible way by not allowing extra parameters. This has caused
    problems for at least Horizon. If we are going change this to not be
    backwards compatible it should include a microversion bump and moving
    the endpoint out of contrib to a standard endpoint.

    To keep some schema validation at least, this just allows extra
    parameters so existing API consumers should be unaffected. We can
    address locking things down better in a future release when we have time
    to do it right.

Closes-bug: #1783467
Closes-bug: #1786054

Change-Id: I45c254eca69471509e7ae4c957df51282e2d1776
Signed-off-by: Sean McGinnis <email address hidden>

Changed in cinder:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-09: Fix included in openstack/cinder 13.0.0.0rc1

#5

This issue was fixed in the openstack/cinder 13.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-14: Fix merged to cinder (master)

#6

Reviewed: https://review.openstack.org/589935
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=3a5f83be2d3be7f2a56d874f6260dfc7ff28f1ee
Submitter: Zuul
Branch: master

commit 3a5f83be2d3be7f2a56d874f6260dfc7ff28f1ee
Author: Sean McGinnis <email address hidden>
Date: Wed Aug 8 09:50:08 2018 -0500

Add volume create schema enforcement unit tests

    This increases test coverage with the volume create call to verify calls
    using microversions < 3.53 allow extra parameters to be passed and calls
    starting with microversion 3.53 will raise a schema validation error for
    unexpected values.

Partial-bug: #1786054

Change-Id: Ib532eb9d4fe0bd597724b734d2e8a7c6daf7c4f1
Signed-off-by: Sean McGinnis <email address hidden>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.