Invalid availability zone name with ':' is accepted

Bug #1695861 reported by Hiroaki Kobayashi on 2017-06-05
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Tetsuro Nakamura
Ocata
Medium
Matt Riedemann
Pike
Medium
Matt Riedemann

Bug Description

According to the parse_availability_zone() of the API class [1], Nova has a legacy hack to allow admins to specify hosts via an availability zone using az:host:node. That means ':' cannot be included in the name of an availability zone itself. However, the create aggregate API accepts requests which have availability zone names including ':'. That causes a following bad scenario:

1. An admin creates a host aggregate with availability_zone = bad:name:example
2. An admin tries to create a server with availability_zone = bad:name:example
3. The nova-api parse the request and split the availability_zone value with ':'
4. Then it recognizes az=bad, host=name, node=example
5. Nova returns 'No valid host found' because there is no availability zone whose name is 'bad'.

To solve this problem following fixes are needed:

Option A:
* Do not allow admins to create a host aggregate whose availability_zone name including ':'.
* Document this specification.

Option B:
* Deprecate the legacy admin hack which uses az:host:node and allow ':' for az name.

[1] https://review.openstack.org/gitweb?p=openstack/nova.git;a=blob;f=nova/compute/api.py;h=46ed8e91fcc16f3755fd6a5e2e4a6d54f990cb8b;hb=HEAD#l561

Tags: api Edit Tag help
summary: - Invalid availability zone name can be accepted
+ Invalid availability zone name with ':' is accepted
Changed in nova:
status: New → Confirmed
tags: added: api

I can reproduce it in nova master (commit 3ce0a050e1e611ad87336406c189522ee63ded30).

Which is better solution, option A or B?

description: updated
description: updated
jichenjc (jichenjc) wrote :

maybe A ? remove a functionaility looks bad than document the restriction

Changed in nova:
assignee: nobody → Tetsuro Nakamura (tetsuro0907)

Fix proposed to branch: master
Review: https://review.openstack.org/490722

Changed in nova:
status: Confirmed → In Progress
Matt Riedemann (mriedem) on 2017-08-04
Changed in nova:
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/490776

Changed in nova:
assignee: Tetsuro Nakamura (tetsuro0907) → Viktor Varga (vvargaszte)
Viktor Varga (vvargaszte) wrote :

Sorry, Tetsuro Nakamura, I have not noticed you have already proposed a fix to this patch. Please reassign it to yourself.

Changed in nova:
assignee: Viktor Varga (vvargaszte) → Tetsuro Nakamura (tetsuro0907)

Fix proposed to branch: master
Review: https://review.openstack.org/491282

Tetsuro Nakamura (tetsuro0907) wrote :

Hi Viktor Varga,
No problem, thank you for telling me that I can reassign it again.

Fix proposed to branch: master
Review: https://review.openstack.org/491340

Change abandoned by Tetsuro Nakamura (<email address hidden>) on branch: master
Review: https://review.openstack.org/491340
Reason: This bug should be fixed in the patch of Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b

Change abandoned by Tetsuro Nakamura (<email address hidden>) on branch: master
Review: https://review.openstack.org/491282
Reason: This bug should be fixed in the patch of Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b

Tetsuro Nakamura (tetsuro0907) wrote :

Sorry for messing up. I'm working here; https://review.openstack.org/#/c/490722/2

Change abandoned by Viktor Varga (<email address hidden>) on branch: master
Review: https://review.openstack.org/490776
Reason: There is already a fix in progress for this bug.

Matt Riedemann (mriedem) on 2017-08-28
no longer affects: nova/ocata
Changed in nova:
assignee: Tetsuro Nakamura (tetsuro0907) → Matt Riedemann (mriedem)
Matt Riedemann (mriedem) on 2017-09-22
Changed in nova:
assignee: Matt Riedemann (mriedem) → Tetsuro Nakamura (tetsuro0907)

Reviewed: https://review.openstack.org/490722
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=38b25397e805dcf7a995666049713304fe4f1af1
Submitter: Jenkins
Branch: master

commit 38b25397e805dcf7a995666049713304fe4f1af1
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861

Changed in nova:
status: In Progress → Fix Released

This issue was fixed in the openstack/nova 17.0.0.0b1 development milestone.

Reviewed: https://review.openstack.org/509656
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a33634e5558b20e4bd496fe476f6ceb1a2ba79f6
Submitter: Zuul
Branch: stable/pike

commit a33634e5558b20e4bd496fe476f6ceb1a2ba79f6
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Conflicts:
          api-ref/source/parameters.yaml

    NOTE(mriedem): The conflict in the api-ref docs is due to not
    having change f657efcdc59e6b80f5e96beb7f9fdc59d8aadbec in Pike.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861
    (cherry picked from commit 38b25397e805dcf7a995666049713304fe4f1af1)

This issue was fixed in the openstack/nova 16.0.3 release.

Reviewed: https://review.openstack.org/509659
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c53df19bd4535c5a95cd1aa7e50f49e128f83b95
Submitter: Zuul
Branch: stable/ocata

commit c53df19bd4535c5a95cd1aa7e50f49e128f83b95
Author: Tetsuro Nakamura <email address hidden>
Date: Fri Aug 4 11:29:00 2017 +0900

    fix nova accepting invalid availability zone name with ':'

    Nova has a legacy hack to allow admins to specify hosts via an
    availability zone using az:host:node. That means ':' cannot be
    included in the name of an availability zone itself.

    However, the aggregate API accepts requests which have
    availability zone names including ':'.

    This patch checks the availabilty zone name when aggregate is
    created or updated and raises an error if it contains ':'.

    Change-Id: I9b0d8e8d4b3ab2cb3d578c22fa259e0e7c0d325b
    Closes-Bug: #1695861
    (cherry picked from commit 38b25397e805dcf7a995666049713304fe4f1af1)
    (cherry picked from commit a33634e5558b20e4bd496fe476f6ceb1a2ba79f6)

This issue was fixed in the openstack/nova 15.1.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers