Merge "api: relax validation for unversioned requests"
This commit is contained in:
commit
41bf5302e7
199
specs/liberty/approved/api-relax-validation.rst
Normal file
199
specs/liberty/approved/api-relax-validation.rst
Normal file
@ -0,0 +1,199 @@
|
||||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Relax API validation for v2.0 on v2.1
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/nova/+spec/api-relax-validation
|
||||
|
||||
Currently v2.1 strongly validates all API requests.
|
||||
|
||||
This spec details how we will relax some validation for v2.0 API requests
|
||||
served by the v2.1 code base.
|
||||
Note requests being sent to /v2.1 will keep their full strong validation.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
We hope that in the near future, all request to nova API can be processed by
|
||||
the new API v2.1 code base.
|
||||
At that point, we will be able to deprecate, then delete, the current v2.0
|
||||
API implementation, and return to a single API implementation.
|
||||
|
||||
While all clients making valid requests to the v2.0 API will get the same
|
||||
results talking to the v2.1 API, there are issues.
|
||||
Various types of "invalid" requests are currently accepted by v2.0, but would
|
||||
be rejected by v2.1.
|
||||
Even tempest was found to be making invalid requests:
|
||||
https://review.openstack.org/#/c/138245
|
||||
|
||||
Use Cases
|
||||
----------
|
||||
|
||||
We need it to be low risk for users to deploy v2.1 to deal with the current
|
||||
requests for v2.0.
|
||||
|
||||
While initial tests of some major SDKs have shown they appear to be making
|
||||
correct requests to our v2.0 API, not all users use an SDK.
|
||||
|
||||
Given the problems found in the tempest test suite, where invalid requests
|
||||
were being made to the v2.0 API, it must be assumed that users who have
|
||||
written their own code to access our API will have made similar mistakes.
|
||||
Where possible, we want these users to be unaffected by the change from
|
||||
v2.0 to v2.1.
|
||||
|
||||
It is expected that SDKs will be updated to start adding the version headers
|
||||
for all their requests to the API. At this point, they will start to get the
|
||||
full benefits of strong API validation. Only those users that are still not
|
||||
specifying the version headers would be getting the weaker validation.
|
||||
|
||||
Project Priority
|
||||
-----------------
|
||||
|
||||
Part of the API v2.1 effort.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
The API v2.1 validation logic will change such that:
|
||||
|
||||
* requests to /v2.1 work the same as today after this change
|
||||
|
||||
* requests to /v2 will have relaxed validation, and will ignore
|
||||
X-OpenStack-Nova-API-Version headers, and always return /v2 responses
|
||||
|
||||
* requests made to /v2 will never return X-OpenStack-Nova-API-Version headers,
|
||||
even when powered by the v2.1 codebase
|
||||
|
||||
* if we keep /v1.1 it will remain the same as /v2
|
||||
|
||||
The relaxed validation consists of:
|
||||
|
||||
* no longer error out requests due to additionalProperties, instead when
|
||||
the request if for the /v2 API we just ignore those additionalProperties.
|
||||
|
||||
In addition:
|
||||
|
||||
* any request to /v2 that includes headers for /v2.1 will be ignored when
|
||||
v2.1 codebase is used to deliver the /v2 requests, so it matches what
|
||||
the v2 codebase is doing today.
|
||||
|
||||
For more details see REST API impact.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The main alternative is to not do this, which is likely to lead to slower
|
||||
adoption of v2.1.
|
||||
|
||||
We could also allow /v2 requests to be sent to /v2.1, but that would
|
||||
confuse matters, /v2 should just ignore the version headers.
|
||||
|
||||
We could ensure that any requests to /v2 error out if you sent the
|
||||
X-OpenStack-Nova-API-Version header, but as python-novaclient already
|
||||
sends that header for all /v2 requests, it would create another backwards
|
||||
compatibility issue.
|
||||
|
||||
Instead of just ignoring parameters, it would be nice to also strip out
|
||||
any invalid parameters before passing through the request to the v2.1 code.
|
||||
It also feels slightly better from an input validation and security point
|
||||
of view, but it does risk changing how the API behaves.
|
||||
We could still look to add this at a later date, if it turns out to be a
|
||||
good idea.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
This will have zero impact for the /v2.1 endpoint.
|
||||
|
||||
The /v2 endpoint powered by the v2.1 code gets the relaxed validation to
|
||||
make it more compatible, as mentioned above.
|
||||
|
||||
In addition /v2 endpoint thats powered by the v2.1 code should never accept
|
||||
any requests not accepted by /v2, and should only return /v2 like responses.
|
||||
Basically, it should always ignore any X-OpenStack-Nova-API-Version
|
||||
just like the the v2 code base does today.
|
||||
|
||||
For consistency, /v1.1 will be the same as /v2
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
johnthetubaguy and alex_xu
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* relax validation for /v2 requests when using v2.1 codebase,
|
||||
instead just ignore bad properties
|
||||
|
||||
* requests made to /v2 will never return X-OpenStack-Nova-API-Version headers,
|
||||
even when powered by the v2.1 codebase
|
||||
|
||||
* ensure that /v2 served up by the v2.1 codebase ignores any
|
||||
of the X-OpenStack-Nova-API-Version headers,
|
||||
just like v2.0 code base does.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Additional unit tests and integration tests should be enough to cover these
|
||||
changes.
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
None
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
Loading…
Reference in New Issue
Block a user