On 02/19/2016 11:20 AM, Sean McGinnis wrote: > On Fri, Feb 19, 2016 at 10:57:38AM -0500, Sean Dague wrote: >> The concern as I understand it is that by extending the v2 API with >> microversions the following failure scenario exists >> >> If: >> >> 1) a client already is using the /v2 API >> 2) a client opt's into using microversions on /v2 >> 3) that client issues a request on a Cinder API v2 endpoint without >> microversion support >> 4) that client fails check if micoversions are supported by a GET of /v2 >> or by checking the return of the OpenStack-API-Version return header >> 5) that client issues a request against a resource on /v2 with >> parameters that would create a radically different situation that would >> be hard to figure out later. >> >> And, only if all these things happen is there a concern. > > I think it's actually even simpler than that. And possibly therefore > more likely to actually happen in the wild. > > 1) a client already is using microversions
But, there are no such clients today. And there is no library that does this yet. It will be 4 - 6 months (or even more likely 12+) until that's in the ecosystem. Which is why adding the header validation to existing v2 API, and backporting to liberty / kilo, will provide really substantial coverage for the concern the bswartz is bringing forward. -Sean -- Sean Dague http://dague.net __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev