yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2126676] [NEW] Response body schema should not be enabled by default

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Stephen Finucane <2126676@xxxxxxxxxxxxxxxxxx>
Date: Thu, 02 Oct 2025 16:40:41 -0000
Reply-to: Bug 2126676 <2126676@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Recent versions of Keystone have introduced schemas for both requests
and responses. However, unlike services like Nova, Ironic and Manila,
response body schema validation in Keystone is always enabled. This
should not be the case. Repeating from the docs for the '[api]
response_validation' option in Manila [1]:

> ``error`` should not be used in a production environment. This is because
> schema validation happens *after* the response body has been generated, meaning
> any side effects will still happen and the call may be non-idempotent despite
> the user receiving a HTTP 500 error.

We should introduce an equivalent option in Keystone that like those
services defaults to 'warn', not 'error'. We can then change the default
in Tempest/DevStack.

[1]
https://review.opendev.org/c/openstack/manila/+/917153/6/manila/api/openstack/__init__.py#69

** Affects: keystone
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2126676

Title:
  Response body schema should not be enabled by default

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Recent versions of Keystone have introduced schemas for both requests
  and responses. However, unlike services like Nova, Ironic and Manila,
  response body schema validation in Keystone is always enabled. This
  should not be the case. Repeating from the docs for the '[api]
  response_validation' option in Manila [1]:

  > ``error`` should not be used in a production environment. This is because
  > schema validation happens *after* the response body has been generated, meaning
  > any side effects will still happen and the call may be non-idempotent despite
  > the user receiving a HTTP 500 error.

  We should introduce an equivalent option in Keystone that like those
  services defaults to 'warn', not 'error'. We can then change the
  default in Tempest/DevStack.

  [1]
  https://review.opendev.org/c/openstack/manila/+/917153/6/manila/api/openstack/__init__.py#69

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2126676/+subscriptions