[API] block-device 'add/remove_tag' operations use GET method, not POST

Bug #1611711 reported by Brendan Donegan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Critical
Gavin Panella
2.0
Critical
Gavin Panella

Bug Description

As per current MAAS documentation: https://maas.ubuntu.com/docs2.0/api.html#block-device

The add_tag and remove_tag operations on a block device are issued with a 'GET' request. This is really wrong - GET requests should never change the server state, only return information.

Related branches

Gavin Panella (allenap)
Changed in maas:
status: New → Triaged
importance: Undecided → High
importance: High → Critical
Revision history for this message
Gavin Panella (allenap) wrote :

This should be fixed before we release 2.0.

FWIW, I think this may have been caused by poor naming in the @operation decorator: it takes a boolean argument "idempotent" which then exposes the operation via HTTP GET when idempotent is True or POST when False. However, mutations should always be done via HTTP POST, whether idempotent or not.

Gavin Panella (allenap)
Changed in maas:
milestone: none → 2.0.0
Revision history for this message
Brendan Donegan (brendan-donegan) wrote :

I'd debate whether the adjective 'idempotent' can even be applied to a GET. It suggests that an operation has happened but the end result is the same no matter how many times you do it. PUT is meant to be idempotent and in other REST APIs I've used, PUT is commonly used to update entities whereas POST is used to create them. MAAS' API widely violates that convention though so this is more a general comment than something we need to fix now.

Gavin Panella (allenap)
Changed in maas:
status: Triaged → In Progress
assignee: nobody → Gavin Panella (allenap)
Changed in maas:
status: In Progress → Fix Committed
Gavin Panella (allenap)
Changed in maas:
milestone: 2.0.0 → none
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers