watcher

No CORS support

Bug #2122347 reported by Takashi Kajinami on 2025-09-08

This bug affects 1 person

	Status	Importance	Assigned to
watcher	Fix Released	High	Takashi Kajinami
2024.1	New	Undecided	Unassigned
2024.2	New	Undecided	Unassigned
2025.1	New	Undecided	Unassigned
2025.2	Fix Released	High	Takashi Kajinami

Bug Description

OpenStack introduced CORS support globally using the CORS middleware from oslo.middleware[1]. This is required to allow cross-origin access by external application.

[1] https://docs.openstack.org/oslo.middleware/2025.1/admin/cross-project-cors.html

However this middleware is not part of the api pipeline of watcher.
Because current watcher provides no mechanism to inject additional middlewares, there is not way to use this feature.

Tags:

OpenStack Infra (hudson-openstack) on 2025-09-08

Changed in watcher:
status:	New → In Progress

sean mooney (sean-k-mooney) on 2025-09-08

Changed in watcher:
importance:	Undecided → High
tags:	added: api
Changed in watcher:
assignee:	nobody → Takashi Kajinami (kajinamit)

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2025-09-08:

its still TBD if we will choose to backport this but we will ask for guidance form the stable team and either triage or close the other series.

2024.1 may be unmaintained by the time this will be resolved so we may also stop at 2025.1 or 2024.2 depending on what is maintained at that point.

overall while this is somewhat a feature given CORS is an important security hardening tool
and we cannot always rely on a reverse proxy/web server to do this for the wsgi application i think
there is at least merit in consider back porting this to reduce operator pain.

i believe it is possible if not simple to have Apache or similar handle the CORS enforcement for the wsgi application upstream but there is merit in adopting the standard approach provided by oslo so that watcher is not special in this regard.

as such i am triaging this as high and targeting it to all current stable branches
until we get wider input.

Revision history for this message

sean mooney (sean-k-mooney) wrote on 2025-09-08:

master: https://review.opendev.org/c/openstack/watcher/+/960044

Revision history for this message

Elod Illes (elod-illes) wrote on 2025-09-10:

Hi Sean, in general, features are not allowed to be backported, based on stable policy. On the other hand, there could be exceptions if the team deems so, especially as this feature does not seem to be a complex change in Watcher, if your patch [1] is the only change that is needed for this. There are teams that do upstream backports of some feature-like small patches (for example cinder driver things), so it's not unprecedented, at least. So the team can decide whether to backport this upstream, or it is something that vendors need to do downstream.

[1] https://review.opendev.org/c/openstack/watcher/+/960044

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-09-15: Fix merged to watcher (master)

Reviewed: https://review.opendev.org/c/openstack/watcher/+/960044
Committed: https://opendev.org/openstack/watcher/commit/e1c8961a7c7d2602ee3c28adc60b2d1f2f0a2a94
Submitter: "Zuul (22348)"
Branch: master

commit e1c8961a7c7d2602ee3c28adc60b2d1f2f0a2a94
Author: Takashi Kajinami <email address hidden>
Date: Mon Sep 8 22:11:48 2025 +0900

Fix missing CORS middleware

    CORS middleware needs to be added to api pipeline to support
    Cross-Origin Resource Sharing(CORS). CORS is supported globally by
    multiple OpenStack services but is not by watcher, due to lack of
    CORS middleware and no mechanism to inject it into api pipeline.

    Closes-Bug: #2122347
    Change-Id: I6b47abe4f08dc257e9156b254fa60005b82898d7
    Signed-off-by: Takashi Kajinami <email address hidden>

Changed in watcher:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.