A node's nodegroup is autodetected using the request's IP even when the request is a manual API/CLI call

Bug #1274926 reported by Raphaël Badin on 2014-01-31
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Critical
Julian Edwards

Bug Description

When a node is enlisted using the API, src/maasserver/utils/__init__.py:find_nodegroup() is called to detect in which nodegroup the new node should be put. The problem is that this detection uses the request's originating IP and happens even when the enlistment is manual; in this case (i.e. when the request is issued by, say, maas-cli), the request does not originate from the node itself and thus it's silly and potentially harmful to do any kind of autodetection using the request's originating IP.

Related branches

Julian Edwards (julian-edwards) wrote :

Oh dear!

I think keeping the auto detection is right, we just need a way for an API client to override in which nodegroup[interface] it belongs.

Raphaël Badin (rvb) wrote :

> I think keeping the auto detection is right

It only makes sense to do the auto-detection when the request comes from maas-enlist running on a node.

I think we should:
- make no-autodetection the default; add a parameter to the API enlistment method to tell MAAS to perform the auto-detection (thus overriding the default which is "no-autodetection"); update maas-enlist so that it will call the enlistment method with that parameter set.
- change the enlistment API to let the user specify to which nodegroup a node belongs (like you said)
- make sure a user can change a node's nodegroup (UI/API) after it's enlisted; I don't think this is possible right now.

Gavin Panella (allenap) wrote :

Can we do it so that, if the detected IP address does not fall within any cluster's network range, we demand that the nodegroup is specified? That's not clearly better than making it default-off, but it does mean touching one less area of MAAS (maas-enlist).

Raphaël Badin (rvb) wrote :

> Can we do it so that,…

That's something we could do. But I don't think we should:
- it introduces subtle error cases where the nodegroup might be wrongly detected
- the behavior of the enlistment will be far more obscure for the user; making the auto-detection / no auto-detection choice explicit is much better from a user's pov

Julian Edwards (julian-edwards) wrote :

I can also see it failing when people run commands on mixed cluster/region hosts.

Julian Edwards (julian-edwards) wrote :

Raph, I think your solution is good. Updating maas-enlist will be A PITA though, but this is an excellent opportunity to bring the code into MAAS and delete the Ubuntu package (why on earth it went to a separate package is a mystery!)

Changed in maas:
assignee: nobody → Julian Edwards (julian-edwards)
status: Triaged → In Progress
Julian Edwards (julian-edwards) wrote :

> - change the enlistment API to let the user specify to which nodegroup a node belongs (like you said)

This parameter is already there, but it's a bit awkward, you have to specify the cluster UUID (I think; the "AnonNodesHandler.new()" API is not documented, which is quite frustrating).

So, it's possible to do this right as it stands, it's just that footgun mode is available if you omit the nodegroup and are using maas-cli from somewhere.

Changed in maas:
status: In Progress → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers