Versioned discovery endpoint should not require authentication

Bug #1845530 reported by Eric Fried
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Eric Fried

Bug Description

stack@nucle:/opt/stack/cyborg$ openstack endpoint list
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
<snip>
| 9d483c8a6162422282514191683751cb | RegionOne | nova | compute | True | public | http://192.168.218.28/compute/v2.1 |
<snip>
+----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
stack@nucle:/opt/stack/cyborg$ curl http://192.168.218.28/compute/v2.1
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

Discovery endpoints should not require authentication.

(I'm still looking for the doc that contains this edict; but ask mordred or anyone on the api-sig.)

Tags: api
Revision history for this message
Michael McCune (mimccune) wrote :

> (I'm still looking for the doc that contains this edict; but ask mordred or anyone on the api-sig.)

this document has not been published but has been discussed for quite awhile now. you can see the review here:

https://review.opendev.org/#/c/459710/17/guidelines/discoverability.rst

see line 93

we (the api-sig), are working to get these backlogged guidelines published but this point about un-authenticated access to the version discovery is not in dispute.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/685180

Changed in nova:
assignee: nobody → Eric Fried (efried)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/685181

Changed in nova:
assignee: Eric Fried (efried) → melanie witt (melwitt)
melanie witt (melwitt)
Changed in nova:
assignee: melanie witt (melwitt) → Eric Fried (efried)
tags: added: api
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.opendev.org/685180
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=49a9f4564487409ae8a4ea5aed39677e234afc01
Submitter: Zuul
Branch: master

commit 49a9f4564487409ae8a4ea5aed39677e234afc01
Author: Eric Fried <email address hidden>
Date: Thu Sep 26 15:10:26 2019 -0500

    Repro bug 1845530: versioned discovery is authed

    This recreates the referenced bug, demonstrating that requests for
    versioned discovery endpoints (/v2, /v2.1) are being piped through
    authentication.

    Change-Id: Iaef1229f542e4e824c6c5c73335bc601bed08c04
    Related-Bug: #1845530

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/685181
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1e907602e37fb55bbe5a20164db6d074f87369af
Submitter: Zuul
Branch: master

commit 1e907602e37fb55bbe5a20164db6d074f87369af
Author: Eric Fried <email address hidden>
Date: Thu Sep 26 16:52:12 2019 -0500

    Allow versioned discovery unauthenticated

    Make routes to the versioned discovery documents (/v2, /v2.1) go through
    paste pipelines that don't require authentication, while leaving their
    sub-URLs (/v2.1/servers etc) requiring authentication.

    To make this work, our URLMap matcher gets support for a very
    rudimentary wildcard syntax, whereby api-paste.ini can differentiate
    between {/v2.1, /v2.1/} and /v2.1/$anything_else. The former points to
    the unauthenticated discovery app pipeline; the latter points to the
    existing "real API" pipeline. Similar for legacy v2.

    This entails a slight behavior change: requests to /v2 and /v2.1 used to
    302 redirect to /v2/ and /v2.1/, respectively. Now they just work.

    Change-Id: Id47515017982850b167d5c637d93b96ae00ba793
    Closes-Bug: #1845530
    Closes-Bug: #1728732

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.