Public bug reported: Both the placement and nova apis allow oslo_middleware.cors in their WSGI middleware stacks.
Placement has some gabbi functional tests which test that the middleware is present and does the right thing when using the middleware's own configuration defaults. Both when it is on or off in cors.yaml and non- cors.yaml. However, the WSGI application that is actually used in a deployment, the one created by nova/api/openstack/placement/wsgi.py is not used in those functional tests. That code calls the set_defaults method on the cors middleware to change and define those HTTP headers and request methods which will be allowed without further configuration. As far as I know, nothing (such as a tempest test) confirms those headers in either placement or nova, and it's relatively certain they are incomplete with regard to microversions (as OpenStack-API-Version and X-OpenStack-Nova-API-Version). This bug is the result of discussion on https://review.openstack.org/#/c/587183/2/nova/api/openstack/placement/wsgi.py The gabbi tests show the kinds of requests that can be done to confirm the right headers are generated: https://github.com/openstack/nova/blob/master/nova/tests/functional/api/openstack/placement/gabbits/cors.yaml https://github.com/openstack/nova/blob/master/nova/tests/functional/api/openstack/placement/gabbits /non-cors.yaml ** Affects: nova Importance: Undecided Status: New ** Tags: api placement -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1784664 Title: cors.set_defaults does not have real test coverage in placement and probably not nova either Status in OpenStack Compute (nova): New Bug description: Both the placement and nova apis allow oslo_middleware.cors in their WSGI middleware stacks. Placement has some gabbi functional tests which test that the middleware is present and does the right thing when using the middleware's own configuration defaults. Both when it is on or off in cors.yaml and non-cors.yaml. However, the WSGI application that is actually used in a deployment, the one created by nova/api/openstack/placement/wsgi.py is not used in those functional tests. That code calls the set_defaults method on the cors middleware to change and define those HTTP headers and request methods which will be allowed without further configuration. As far as I know, nothing (such as a tempest test) confirms those headers in either placement or nova, and it's relatively certain they are incomplete with regard to microversions (as OpenStack-API-Version and X-OpenStack-Nova-API-Version). This bug is the result of discussion on https://review.openstack.org/#/c/587183/2/nova/api/openstack/placement/wsgi.py The gabbi tests show the kinds of requests that can be done to confirm the right headers are generated: https://github.com/openstack/nova/blob/master/nova/tests/functional/api/openstack/placement/gabbits/cors.yaml https://github.com/openstack/nova/blob/master/nova/tests/functional/api/openstack/placement/gabbits /non-cors.yaml To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1784664/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
