Bug 1333728

Summary: Rest API allows creating network providers without required fields.
Product: [oVirt] ovirt-engine Reporter: Marcin Mirecki <mmirecki>
Component: BLL.NetworkAssignee: Marcin Mirecki <mmirecki>
Status: CLOSED CURRENTRELEASE QA Contact: Michael Burman <mburman>
Severity: low Docs Contact:
Priority: low    
Version: 4.0.0CC: bugs, danken, mmirecki, tnisan, ylavi
Target Milestone: ovirt-4.0.2Flags: rule-engine: ovirt-4.0.z+
rule-engine: planning_ack+
danken: devel_ack+
myakove: testing_ack+
Target Release: 4.0.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The REST API allowed to create an openstack network provider without some required fields (plugin-type, username, password, tenant, auth-url). This patch adds the required validation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-12 14:27:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Network RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcin Mirecki 2016-05-06 08:53:14 UTC 
The rest API allows to create a network provider without all the required data.

It is possible to submit a query:
POST
http://localhost:8080/ovirt-engine/api/openstacknetworkproviders
<openstack_network_provider>
<type>NEUTRON</type>
<name>x1</name>
<url>http://localhost:9696</url>
</openstack_network_provider>

This will create an openstack provider without 'tenant' or 'plugin type'.

This should be validated.
Comment 1 Juan Hernández 2016-05-06 09:00:19 UTC 
This is a business logic rule, so it should be validated by the backend's AddProvider command. It should generate the appropriate error message. The API will then return it to the caller.
Comment 2 Red Hat Bugzilla Rules Engine 2016-05-16 06:54:46 UTC 
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.
Comment 3 Tal Nisan 2016-07-04 13:24:52 UTC 
How can this patch be merged in 4.0 and targeted to 4.1.0?
Comment 4 Dan Kenigsberg 2016-07-04 14:03:34 UTC 
I don't really know why Marcin rushed to backport this to 4.0, but it's even better as it is. Let's keep it there.
Comment 5 Michael Burman 2016-07-24 08:32:14 UTC 
Marcin, the validation working only for plugin type.

<fault>
<detail>[Openstack Neutron provider requires a plugin type.]</detail>
<reason>Operation Failed</reason>
</fault>

But it is still possible to create network provider without username, password, tenant, auth-url


<openstack_network_provider>
<type>NEUTRON</type>
<name>x2</name>
 <plugin_type>open_vswitch</plugin_type>
  <url>http://localhost:9696</url>
</openstack_network_provider>


<openstack_network_providerhref="/ovirt-engine/api/openstacknetworkproviders/ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7"id="ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7">
<actions>
<linkhref="/ovirt-engine/api/openstacknetworkproviders/ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7/testconnectivity"rel="testconnectivity"/>
<linkhref="/ovirt-engine/api/openstacknetworkproviders/ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7/importcertificates"rel="importcertificates"/>
</actions>
<name>x2</name>
<linkhref="/ovirt-engine/api/openstacknetworkproviders/ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7/networks"rel="networks"/>
<linkhref="/ovirt-engine/api/openstacknetworkproviders/ad6a4f89-4d02-4b5c-b51c-c7d4229dbba7/certificates"rel="certificates"/>
<requires_authentication>false</requires_authentication>
<url>http://localhost:9696</url>
<plugin_type>open_vswitch</plugin_type>
<type>neutron</type>
</openstack_network_provider>

- Is this is OK? isn't should fail even if we not sending 
<requires_authentication>true</requires_authentication> ? 
I thought that the authentication is required..

Waiting for your response to decide if it's failed QA..Thanks)
Comment 6 Marcin Mirecki 2016-08-03 07:21:32 UTC 
Authentication is not always required.
The user could have a network provider setup which does not require authentication, and in this case you don't have do specify user/password/url

The flag which tells us if it is required is:
<requires_authentication>true</requires_authentication>

If this is set to TRUE, then we must have user/password/url

If it is not present or FALSE, then no authentication data is necessary.

Also note that for external providers tenant id is not required. Tenant is a openstack entity, so some implementations could not have this.

Note that in the UI you can also uncheck the requires authentication, and not specify user/...
Comment 7 Michael Burman 2016-08-03 08:09:41 UTC 
Thank you Marcin,
Base on comments 5 and 6 this is verified on - 4.0.2.3-0.1.el7ev