Hey Angus, yeah I realize there are limitations with the validation in it's current form, which basically doesn't work at all with nested stacks - wouldn't it be better to just skip them completely rather than trying to load random files which may not bear any relation to what the user expects (e.g, how does a user of a public cloud heat have *any* idea what's in /etc/templates of their provider?)
That's one reason why I've been reworking validate to work more like create/preview:
I think this is a better long-term direction, but it obviously doesn't solve the sort term requirement for a backportable quick fix.
In the tests above - are those being done directly via curl, or using heatclient? Because we probably have fixes to do in the client too, e.g because AFAICT the trick with the comment #.yaml works there too:
If you do heat --debug template-validate bad_tmp.yaml you'll see that we read passwd and send it in the files map (even though we know current heat ignores the files at the API level.
I guess this latter case is more a safeguard against users doing something stupid, but we should probably make it more robust if possible.
Hey Angus, yeah I realize there are limitations with the validation in it's current form, which basically doesn't work at all with nested stacks - wouldn't it be better to just skip them completely rather than trying to load random files which may not bear any relation to what the user expects (e.g, how does a user of a public cloud heat have *any* idea what's in /etc/templates of their provider?)
That's one reason why I've been reworking validate to work more like create/preview:
https:/ /review. openstack. org/#/c/ 223581/
Here, we actually pass the files map, so we can safely do nested validation:
https:/ /review. openstack. org/#/c/ 224078/
I think this is a better long-term direction, but it obviously doesn't solve the sort term requirement for a backportable quick fix.
In the tests above - are those being done directly via curl, or using heatclient? Because we probably have fixes to do in the client too, e.g because AFAICT the trick with the comment #.yaml works there too:
https:/ /github. com/openstack/ python- heatclient/ blob/master/ heatclient/ v1/shell. py#L796 /github. com/openstack/ python- heatclient/ blob/master/ heatclient/ common/ template_ utils.py# L82
https:/
$ cat bad_tmpl.yaml version: 2013-05-23
heat_template_
resources:
test:
type: /etc/passwd#.yaml
If you do heat --debug template-validate bad_tmp.yaml you'll see that we read passwd and send it in the files map (even though we know current heat ignores the files at the API level.
I guess this latter case is more a safeguard against users doing something stupid, but we should probably make it more robust if possible.