OpenStack DBaaS (Trove)

Trove API accepts negative volume size in instance create

Bug #1432212 reported by Shayne Burgess
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack DBaaS (Trove)
Fix Released
Low
Shayne Burgess
OpenStack DBaaS (Trove) 2015.1.0 "kilo"

Bug Description

The trove client validates that the volume size specified is 0 or great but the API doesn't. If you issue this request directly against the the API you can try to create an instance with a negative volume this actually fails when the task manager calls the cinder client to create the volume.

A minor issue but it's a bad experience because it always leaves an instance in error state and it really messes with Horizon which has a lot of trouble rending the negative volume size value.

We found this in our pen testing of the API.

Revision history for this message
Shayne Burgess (shayne-burgess) wrote :

Same issue exists in cluster create

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to trove (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164460

Changed in trove:
assignee: nobody → Shayne Burgess (shayne-burgess)
status: New → In Progress
Revision history for this message
Sushil Kumar (sushil-kumar2) wrote :

I have doubts on this because the rules in apischema suggests that it cannot have negative value.

Revision history for this message
Sushil Kumar (sushil-kumar2) wrote :

Look i tried to create one with -ve size and got this

{"instance": {"volume": {"size": -2}, "flavorRef": "2", "name": "test"}} from (pid=6861) authorize /mnt/stack/trove/trove/common/auth.py:67
2015-03-15 09:05:18.932 DEBUG trove.common.wsgi [req-e38d8044-d7b1-473c-a65d-1fb02b9ff4d5 3b9db0087ce24e088b1f54ce366e54f7 5017f5ad40c1439f972351b523767de6] Getting schema for type:create from (pid=6861) get_schema /mnt/stack/trove/trove/common/wsgi.py:372
2015-03-15 09:05:18.932 DEBUG trove.common.wsgi [req-e38d8044-d7b1-473c-a65d-1fb02b9ff4d5 3b9db0087ce24e088b1f54ce366e54f7 5017f5ad40c1439f972351b523767de6] Found Schema: none from (pid=6861) get_schema /mnt/stack/trove/trove/common/wsgi.py:377
2015-03-15 09:05:18.933 INFO trove.common.wsgi [req-e38d8044-d7b1-473c-a65d-1fb02b9ff4d5 3b9db0087ce24e088b1f54ce366e54f7 5017f5ad40c1439f972351b523767de6] Validation error: instance['volume']['size'] -2 is not valid under any of the given schemas; -2 is less than the minimum of 0; -2 is not of type 'string'
2015-03-15 09:05:18.934 DEBUG trove.common.wsgi [req-e38d8044-d7b1-473c-a65d-1fb02b9ff4d5 3b9db0087ce24e088b1f54ce366e54f7 5017f5ad40c1439f972351b523767de6] Traceback (most recent call last):
  File "/mnt/stack/trove/trove/common/wsgi.py", line 247, in execute_action
    self.controller.validate_request(action, action_args)
  File "/mnt/stack/trove/trove/common/wsgi.py", line 404, in validate_request
    raise exception.BadRequest(message=error_msg)
BadRequest: Validation error: instance['volume']['size'] -2 is not valid under any of the given schemas; -2 is less than the minimum of 0; -2 is not of type 'string'

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to trove (master)

Reviewed: https://review.openstack.org/164460
Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=2d1c77ec670e660e65fa85ed97dda89e3030db8e
Submitter: Jenkins
Branch: master

commit 2d1c77ec670e660e65fa85ed97dda89e3030db8e
Author: shayne-burgess <email address hidden>
Date: Sat Mar 14 13:15:46 2015 -0700

    Reject negative volume size in API

    Quick fix to validate volume size on cluster/instance create.
    Failing early prevents Horizon from having issues displaying the
    volume size.

    This fix actually now restricts the size to just positive integers
    before you could enter anything that had a number in it. Exmaples
    that were valid before this fix for the volume size: "1a", "-1",
    "aaaaaaaa1", etc

    Change-Id: Ia2a6a160a5d0d58c8421d733113ca1546ed8c424
    Closes-Bug: #1432212

Changed in trove:
status: In Progress → Fix Committed
Nikhil Manchanda (slicknik)
Changed in trove:
milestone: none → kilo-rc1
Thierry Carrez (ttx)
Changed in trove:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in trove:
milestone: kilo-rc1 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.