yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1845530] Re: Versioned discovery endpoint should not require authentication

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1845530@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 Apr 2020 11:12:03 -0000
Reply-to: Bug 1845530 <1845530@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/685181
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=1e907602e37fb55bbe5a20164db6d074f87369af
Submitter: Zuul
Branch:    master

commit 1e907602e37fb55bbe5a20164db6d074f87369af
Author: Eric Fried <openstack@xxxxxxxx>
Date:   Thu Sep 26 16:52:12 2019 -0500

    Allow versioned discovery unauthenticated
    
    Make routes to the versioned discovery documents (/v2, /v2.1) go through
    paste pipelines that don't require authentication, while leaving their
    sub-URLs (/v2.1/servers etc) requiring authentication.
    
    To make this work, our URLMap matcher gets support for a very
    rudimentary wildcard syntax, whereby api-paste.ini can differentiate
    between {/v2.1, /v2.1/} and /v2.1/$anything_else. The former points to
    the unauthenticated discovery app pipeline; the latter points to the
    existing "real API" pipeline. Similar for legacy v2.
    
    This entails a slight behavior change: requests to /v2 and /v2.1 used to
    302 redirect to /v2/ and /v2.1/, respectively. Now they just work.
    
    Change-Id: Id47515017982850b167d5c637d93b96ae00ba793
    Closes-Bug: #1845530
    Closes-Bug: #1728732


** Changed in: nova
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1845530

Title:
  Versioned discovery endpoint should not require authentication

Status in OpenStack Compute (nova):
  Fix Released

Bug description:
  stack@nucle:/opt/stack/cyborg$ openstack endpoint list
  +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
  | ID                               | Region    | Service Name | Service Type   | Enabled | Interface | URL                                             |
  +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
  <snip>
  | 9d483c8a6162422282514191683751cb | RegionOne | nova         | compute        | True    | public    | http://192.168.218.28/compute/v2.1              |
  <snip>
  +----------------------------------+-----------+--------------+----------------+---------+-----------+-------------------------------------------------+
  stack@nucle:/opt/stack/cyborg$ curl http://192.168.218.28/compute/v2.1 
  {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

  Discovery endpoints should not require authentication.

  (I'm still looking for the doc that contains this edict; but ask
  mordred or anyone on the api-sig.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1845530/+subscriptions

References

[Bug 1845530] [NEW] Versioned discovery endpoint should not require authentication
From: Eric Fried, 2019-09-26