← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2126676] [NEW] Response body schema should not be enabled by default

 

Public bug reported:

Recent versions of Keystone have introduced schemas for both requests
and responses. However, unlike services like Nova, Ironic and Manila,
response body schema validation in Keystone is always enabled. This
should not be the case. Repeating from the docs for the '[api]
response_validation' option in Manila [1]:

> ``error`` should not be used in a production environment. This is because
> schema validation happens *after* the response body has been generated, meaning
> any side effects will still happen and the call may be non-idempotent despite
> the user receiving a HTTP 500 error.

We should introduce an equivalent option in Keystone that like those
services defaults to 'warn', not 'error'. We can then change the default
in Tempest/DevStack.

[1]
https://review.opendev.org/c/openstack/manila/+/917153/6/manila/api/openstack/__init__.py#69

** Affects: keystone
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2126676

Title:
  Response body schema should not be enabled by default

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Recent versions of Keystone have introduced schemas for both requests
  and responses. However, unlike services like Nova, Ironic and Manila,
  response body schema validation in Keystone is always enabled. This
  should not be the case. Repeating from the docs for the '[api]
  response_validation' option in Manila [1]:

  > ``error`` should not be used in a production environment. This is because
  > schema validation happens *after* the response body has been generated, meaning
  > any side effects will still happen and the call may be non-idempotent despite
  > the user receiving a HTTP 500 error.

  We should introduce an equivalent option in Keystone that like those
  services defaults to 'warn', not 'error'. We can then change the
  default in Tempest/DevStack.

  [1]
  https://review.opendev.org/c/openstack/manila/+/917153/6/manila/api/openstack/__init__.py#69

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2126676/+subscriptions