Nova V3 API

There has been a lot of discussion on the openstack-dev mailing list around the future of the Nova API. This document tries to cover the problems with the v2 API, what has been developed with the v3 API to address these and how we can resolve some of the issues with long term maintenance of two APIs. As well as strategies for coping with backwards incompatible changes into the future whilst still minimising maintenance overhead.

Note that this document does not attempt to compare the proposed V2 API only proposal against proceeding with V3 API.

1. Problems with the V2 API
   1. User facing problems
      1. Incorrect success return codes
      2. Poor input validation
      3. Poor error handling
      4. API inconsistencies
   2. Developer and Operator issues
      1. Immature plugin loader
      2. Inconsistent way of implementing API features
      3. Lack of versioning
      4. Poor input validation
2. Status of the v3 API
3. v3 API improvements
   1. User facing improvements and changes
      1. JSON schema input validation
      2. Fixes incorrect success return codes
      3. API plugins are explicitly versioned
      4. Removes project id from the url
      5. Fixes API inconsistencies
      6. Reduction in API extensions
   2. Developers and Operators
      1. Improved framework for API plugins
      2. Impact of JSON Schema input validation
      3. Explicit declaration of what errors may be returned from a method
      4. Ability to whitelist/blacklist plugins
      5. Policy checks at API level
      6. More fine-grained extensions
      7. Improved unittests
4. Long term dual maintenance costs
   1. Measuring the dual maintenance cost and short term solutions
   2. Long term option 1 (v2.1 based on the v3 codebase)
   3. Long term option 2 (Proxy)
   4. Handling API changes in the future

Problems with the v2 API

The Nova v2 API is essentially the first version of the Nova API and has grown fairly organically over time. Nova has grown very quickly over a short period of time, and although in recent times we have started to raise the bar when it comes to reviewing changes to the API, historically adding features quickly has taken priority. Both the API itself, and especially how to add features to the API, has been inadequately documented. Often API features have been written by cut and pasting existing code and modifying it to suit, and as a result a lot of bugs and inconsistencies have arisen, depending on exactly what API features another was based on.

Work first started in Grizzly to address some of these problems, but it was quickly realised that many of the problems could not be fixed without backwards incompatible changes. A larger range of fixes was proposed and discussed at a couple of the Havana design summit sessions, and patches started merging soon after. Some of the issues are:

User facing problems

• Incorrect success return codes.

Although strictly speaking changing error return codes is a backwards incompatible change, We have traditionally made them anyway to the v2 API. However there are also cases in the v2 API where we return incorrect success codes. For example, there are cases where we return a 200 (OK) or 201 HTTP (CREATED) status code when on the backend this actually an asynchronous call which may fail. We should instead be returning a 202 (ACCEPTED).

Currently clients who trust that we return correct success codes are most likely assuming that operations have succeeded when under load they will fail occassionally.

• Poor input validation.

User input is poorly or not validated at the API level. There are cases where parameters are not correctly checked at the API level which leads to more complicated or incorrect error handling at a lower level. In other cases extraneous data is not correctly rejected and so clients send data they think is being used, but is in fact being ignored.

This has not been helped by API samples which are used for our documentation being incorrect and so we have explicitly mislead users as to how to use our API. Although the API samples are run through the actual API code, the v2 API input validation has not picked up these problems and we have not noticed until we implemented strong input validation for the v3 API.

If we can't always get our API samples correct which are often written by the people writing the API features, its unlikely that people writing against our API are going to be significantly better at it. So we can not arbitrarily tighten the input validation as this would be a backwards incompatible change which would break existing applications.

• Poor or inconsistent error handling.

Exceptions from Nova internal Nova code have not been consistently caught leading to poor quality error messages being sent to clients. Some cases were found which were in fact quite misleading about the real nature of the error

• API inconsistencies.

As the v2 API has grown very quickly without programmers and reviewers looking at the overall big picture of the Nova API or REST API design guidelines, it has grown quite self inconsistent. Simple things such as using CamelCase or Snake_Case across the API (we even end up with both within the same API call), a consistent way of naming extension or even naming concepts with Nova. For example in some areas we talk about instances, in others refer to the same thing as a server. Or use project and tenant interchangeably. As a result for some of these issues we end up with prominent explanations to reduce user confusion. It's not an issue for those who have become familiar with Nova's quirks, but it is a barrier to new users.

Developer and Operator issues

There are a number of issues with the v2 API implementation which lead to higher development and maintenance costs for the Nova API. Together with the primarily user facing issues this results in a code base which is a lot more fragile than we would otherwise like to have.

• Immature plugin loader.

The v2 API plugin loader is a pretty basic Nova specific hand crafted implementation, which has lead to compromises in the way that API features are added. There are now python modules available which can do a lot of the hard work for us

• Inconsistent way of implementing API features.

The way that the core parts of the v2 API are implemented is quite different to they way that API extensions are implemented. This results in a higher learning curve and maintenance overhead for developers and reviewers as there are two ways of doing the same thing.

Partly as a result of the way the v2 API plugin loader works there are also areas where there is a lack of clean separation of API features, which results in much more complicated code and higher maintenance costs for the API.

• Lack of versioning.

The v2 API features (extensions or core) are not versioned. This has lead us to a quite ugly work around where we have to create a new extension that users can look for whenever we want to make a backwards compatible change.

• Poor input validation.

Although poor input validation is primarily a user facing issue, it is also a maintenance cost for the development community. Because it makes it more likely that changes to the API layer or indeed even further will accidentally change our API and break applications.

Status of the v3 API

Development of the v3 API started with some prototype code for the new API plugin framework at the Havana summit. Most of the API code was ported and merged during Havana, with a focus on testing, API input validation and more generic cleanups in Icehouse. Most of the code discussed to be done at the Icehouse summit has been completed and submitted for review, though there is still some that has not yet merged.

The tempest tests have been adjusted for the cleaned up v3 API and the v3 API tempest tests are part of the gate that all changes have to pass.

python-novaclient support has been implemented and merged.

As a very rough measure of the amount of effort required to get to where we for just changes in the Nova repository (so it doesn't count tempest or python-novaclient development), there are around 400+ V3 API related patches merged over both Havana and Icehouse. This does not include the extra "part 1" patches which were a result of making it easier to review initial V3 code, but would include some unrelated bug fixes. There are approximately 30 or so patches which were in the review queue until they were frozen pending the Nova API discussions.

There is no XML support in the v3 API as the v2 API support for XML has been marked deprecated. There is also no proxying of information to neutron, glance or cinder which can be instead queried from those services directly. It is expected that instead client libraries will handle that. python-novaclient does this where necessary and leaves the rest to the various service clients. Eventually it is expected that the openstack client will handle it as a unified interface, cutting back further on duplicated code. Retaining proxying support in the Nova api in the very long term means duplicated code between the Nova API and openstack clients which has extra maintenance overhead.

There were two reasons behind delaying the release of the v3 API in Icehouse. The first was that development of nova-network was unfrozen early in I-3. Originally nova-network was deprecated and so nova-network support was explicitly being removed from the v3 API. As a result of nova-network now becoming required, the nova-network related code will also have to be ported to the v3 API.

The second reason was that the new tasks API work was not completed in time. As discussed at the mid cycle meetup we did not want to compromise on the design of the tasks API and it requires non backwards compatible changes to several API areas. To reduce the risk of getting this very last minute API changes wrong and having to live with those bugs for a very long time, it was decided to defer marking the v3 API as supported rather than experimental.

v3 API improvements

User facing improvements

• JSON schema input validation.

Strong input validation has been added using JSON schema. The v3 API is very strict about the rejecting malformed data, whether it be part of the expected data, or extraneous data. It also has some nice potential side-effect improvements.

• The ability to autogenerate input API samples. Which with the v2 API infrastructure are created manually by the programmer writing the API feature which they sometimes get wrong
• The JSON schema work is part of the bigger desired feature so we offer an API auto-discovery and auto-building of client libraries.
• The JSON schema can be used to help automate tempest negative testing (passing invalid data and verify it is correctly rejected) of the Nova API.
• Fixes incorrect success return codes.

We now correctly return 202 for asynchronous calls where we don't know if the operation requested will succeed or not

• API plugins are explicitly versioned so clients can tell what features will be available.
• Removes the project_id from the url. The relevant project_id information for the user is already passed as part of the token passed to Nova. Passing it twice is not only unnecessary but confusing when the operation is across all projects or a different one to the one related to authentication.
• Fixes API inconsistencies

The v3 API has made the backwards incompatible changes such that weird non-REST-like design quirks of the API have been removed, and there is uniform naming format and concepts across the API. Eg extensions are named consistently, we don't use different names for the same concepts and snake_case is used uniformly for data parameters received and returned.

For example the v2 API version of a detailed server list looks like:

v2 API

v3 API

{ "servers": [ { "OS-DCF:diskConfig": "AUTO", "OS-EXT-AZ:availability_zone": "nova", "OS-EXT-SRV-ATTR:host": "f43a596b8ec841e4bd486473ba0693bb", "OS-EXT-SRV-ATTR:hypervisor_hostname": "fake-mini", "OS-EXT-SRV-ATTR:instance_name": "instance-00000001", "OS-EXT-STS:power_state": 1, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "OS-SRV-USG:launched_at": "2013-05-02T19:14:01.806067", "OS-SRV-USG:terminated_at": null, "accessIPv4": "", "accessIPv6": "", "addresses": { "private": [ { "OS-EXT-IPS-MAC:mac_addr": "aa:bb:cc:dd:ee:ff", "OS-EXT-IPS:type": "fixed", "addr": "192.168.0.3", "version": 4 } ] }, "config_drive": "", "created": "2013-05-02T19:14:01Z", "flavor": { "id": "1", "links": [ { "href": "http://openstack.example.com/openstack/flavors/1", "rel": "bookmark" } ] }, "hostId": "6a892e9c0d3105ce7c93fd44982253a16d6bd760fc80cb686cfe1c18", "id": "cdd530d5-140d-4f16-88a6-690cbbabc186", "image": { "id": "70a599e0-31e7-49b7-b260-868f441e862b", "links": [ { "href": "http://openstack.example.com/openstack/images/70a599e0-31e7-49b7-b260-868f441e862b", "rel": "bookmark" } ] }, "key_name": null, "links": [ { "href": "http://openstack.example.com/v2/openstack/servers/cdd530d5-140d-4f16-88a6-690cbbabc186", "rel": "self" }, { "href": "http://openstack.example.com/openstack/servers/cdd530d5-140d-4f16-88a6-690cbbabc186", "rel": "bookmark" } ], "metadata": { "My Server Name": "Apache1" }, "name": "new-server-test", "progress": 0, "security_groups": [ { "name": "default" } ], "status": "ACTIVE", "tenant_id": "openstack", "updated": "2013-05-02T19:14:01Z", "user_id": "fake", "os-extended-volumes:volumes_attached": [] } ] }

{ "servers": [ { "addresses": { "private": [ { "addr": "192.168.0.3", "mac_addr": "aa:bb:cc:dd:ee:ff", "type": "fixed", "version": 4 } ] }, "created": "2013-09-23T13:53:12Z", "flavor": { "id": "1", "links": [ { "href": "http://openstack.example.com/flavors/1", "rel": "bookmark" } ] }, "host_id": "f1e160ad2bf07084f3d3e0dfdd0795d80da18a60825322c15775c0dd", "id": "9cbefc35-d372-40c5-88e2-9fda1b6ea12c", "image": { "id": "70a599e0-31e7-49b7-b260-868f441e862b", "links": [ { "href": "http://glance.openstack.example.com/images/70a599e0-31e7-49b7-b260-868f441e862b", "rel": "bookmark" } ] }, "key_name": null, "links": [ { "href": "http://openstack.example.com/v3/servers/9cbefc35-d372-40c5-88e2-9fda1b6ea12c", "rel": "self" }, { "href": "http://openstack.example.com/servers/9cbefc35-d372-40c5-88e2-9fda1b6ea12c", "rel": "bookmark" } ], "metadata": { "My Server Name": "Apache1" }, "name": "new-server-test", "os-access-ips:access_ip_v4": "", "os-access-ips:access_ip_v6": "", "os-config-drive:config_drive": "", "os-extended-availability-zone:availability_zone": "nova", "os-extended-server-attributes:host": "c3f14e9812ad496baf92ccfb3c61e15f", "os-extended-server-attributes:hypervisor_hostname": "fake-mini", "os-extended-server-attributes:instance_name": "instance-00000001", "os-extended-status:locked_by": null, "os-extended-status:power_state": 1, "os-extended-status:task_state": null, "os-extended-status:vm_state": "active", "os-extended-volumes:volumes_attached": [], "os-server-usage:launched_at": "2013-09-23T13:53:12.774549", "os-server-usage:terminated_at": null, "progress": 0, "security_groups": [ { "name": "default" } ], "status": "ACTIVE", "tenant_id": "openstack", "updated": "2013-10-31T06:32:32Z", "user_id": "fake" } ] }

• Reduction in API extensions

The number of extensions blew out in v2 API because of the lack of versioning. So the v3 API has lot fewer extensions as functionality is merged into the relevant basic extensions. And with versioning this should not re-occur.

Operators and Developers

• Improved framework for API plugins

There is now no longer any difference between how API features are implemented if they are core or extensions. The framework also allows for better isolation of the code from API different parts of the API and it is no longer necessary to modify parts of the core API to support extensions. This reduces the maintance overhead for the API code. For example, compare the v2 and v3 API versions of the servers create method (note that although the input validation patch for this plugin has been written it has not merged in this code and so there is still some input validation in the v3 version)

v2 API

v3 API

@wsgi.response(202) @wsgi.serializers(xml=FullServerTemplate) @wsgi.deserializers(xml=CreateDeserializer) def create(self, req, body): """Creates a new server for a given user.""" if not self.is_valid_body(body, 'server'): raise exc.HTTPUnprocessableEntity() context = req.environ['nova.context'] server_dict = body['server'] password = self._get_server_admin_password(server_dict) if 'name' not in server_dict: msg = _("Server name is not defined") raise exc.HTTPBadRequest(explanation=msg) name = server_dict['name'] self._validate_server_name(name) name = name.strip() image_uuid = self._image_from_req_data(body) personality = server_dict.get('personality') config_drive = None if self.ext_mgr.is_loaded('os-config-drive'): config_drive = server_dict.get('config_drive') injected_files = [] if personality: injected_files = self._get_injected_files(personality) sg_names = [] if self.ext_mgr.is_loaded('os-security-groups'): security_groups = server_dict.get('security_groups') if security_groups is not None: sg_names = [sg['name'] for sg in security_groups if sg.get('name')] if not sg_names: sg_names.append('default') sg_names = list(set(sg_names)) requested_networks = None if (self.ext_mgr.is_loaded('os-networks') or utils.is_neutron()): requested_networks = server_dict.get('networks') if requested_networks is not None: if not isinstance(requested_networks, list): expl = _('Bad networks format') raise exc.HTTPBadRequest(explanation=expl) requested_networks = self._get_requested_networks( requested_networks) (access_ip_v4, ) = server_dict.get('accessIPv4'), if access_ip_v4 is not None: self._validate_access_ipv4(access_ip_v4) (access_ip_v6, ) = server_dict.get('accessIPv6'), if access_ip_v6 is not None: self._validate_access_ipv6(access_ip_v6) try: flavor_id = self._flavor_id_from_req_data(body) except ValueError as error: msg = _("Invalid flavorRef provided.") raise exc.HTTPBadRequest(explanation=msg) # optional openstack extensions: key_name = None if self.ext_mgr.is_loaded('os-keypairs'): key_name = server_dict.get('key_name') user_data = None if self.ext_mgr.is_loaded('os-user-data'): user_data = server_dict.get('user_data') self._validate_user_data(user_data) availability_zone = None if self.ext_mgr.is_loaded('os-availability-zone'): availability_zone = server_dict.get('availability_zone') block_device_mapping = None block_device_mapping_v2 = None legacy_bdm = True if self.ext_mgr.is_loaded('os-volumes'): block_device_mapping = server_dict.get('block_device_mapping', []) for bdm in block_device_mapping: try: block_device.validate_device_name(bdm.get("device_name")) block_device.validate_and_default_volume_size(bdm) except exception.InvalidBDMFormat as e: raise exc.HTTPBadRequest(explanation=e.format_message()) if 'delete_on_termination' in bdm: bdm['delete_on_termination'] = strutils.bool_from_string( bdm['delete_on_termination']) if self.ext_mgr.is_loaded('os-block-device-mapping-v2-boot'): # Consider the new data format for block device mapping block_device_mapping_v2 = server_dict.get( 'block_device_mapping_v2', []) # NOTE (ndipanov): Disable usage of both legacy and new # block device format in the same request if block_device_mapping and block_device_mapping_v2: expl = _('Using different block_device_mapping syntaxes ' 'is not allowed in the same request.') raise exc.HTTPBadRequest(explanation=expl) # Assume legacy format legacy_bdm = not bool(block_device_mapping_v2) try: block_device_mapping_v2 = [ block_device.BlockDeviceDict.from_api(bdm_dict) for bdm_dict in block_device_mapping_v2] except exception.InvalidBDMFormat as e: raise exc.HTTPBadRequest(explanation=e.format_message()) block_device_mapping = (block_device_mapping or block_device_mapping_v2) ret_resv_id = False # min_count and max_count are optional. If they exist, they may come # in as strings. Verify that they are valid integers and > 0. # Also, we want to default 'min_count' to 1, and default # 'max_count' to be 'min_count'. min_count = 1 max_count = 1 if self.ext_mgr.is_loaded('os-multiple-create'): ret_resv_id = server_dict.get('return_reservation_id', False) min_count = server_dict.get('min_count', 1) max_count = server_dict.get('max_count', min_count) try: min_count = utils.validate_integer( min_count, "min_count", min_value=1) max_count = utils.validate_integer( max_count, "max_count", min_value=1) except exception.InvalidInput as e: raise exc.HTTPBadRequest(explanation=e.format_message()) if min_count > max_count: msg = _('min_count must be <= max_count') raise exc.HTTPBadRequest(explanation=msg) auto_disk_config = False if self.ext_mgr.is_loaded('OS-DCF'): auto_disk_config = server_dict.get('auto_disk_config') scheduler_hints = {} if self.ext_mgr.is_loaded('OS-SCH-HNT'): scheduler_hints = server_dict.get('scheduler_hints', {}) try: _get_inst_type = flavors.get_flavor_by_flavor_id inst_type = _get_inst_type(flavor_id, ctxt=context, read_deleted="no") (instances, resv_id) = self.compute_api.create(context, inst_type, image_uuid, display_name=name, display_description=name, key_name=key_name, metadata=server_dict.get('metadata', {}), access_ip_v4=access_ip_v4, access_ip_v6=access_ip_v6, injected_files=injected_files, admin_password=password, min_count=min_count, max_count=max_count, requested_networks=requested_networks, security_group=sg_names, user_data=user_data, availability_zone=availability_zone, config_drive=config_drive, block_device_mapping=block_device_mapping, auto_disk_config=auto_disk_config, scheduler_hints=scheduler_hints, legacy_bdm=legacy_bdm) except (exception.QuotaError, exception.PortLimitExceeded) as error: raise exc.HTTPRequestEntityTooLarge( explanation=error.format_message(), headers={'Retry-After': 0}) except exception.InvalidMetadataSize as error: raise exc.HTTPRequestEntityTooLarge( explanation=error.format_message()) except exception.ImageNotFound as error: msg = _("Can not find requested image") raise exc.HTTPBadRequest(explanation=msg) except exception.FlavorNotFound as error: msg = _("Invalid flavorRef provided.") raise exc.HTTPBadRequest(explanation=msg) except exception.KeypairNotFound as error: msg = _("Invalid key_name provided.") raise exc.HTTPBadRequest(explanation=msg) except exception.ConfigDriveInvalidValue: msg = _("Invalid config_drive provided.") raise exc.HTTPBadRequest(explanation=msg) except messaging.RemoteError as err: msg = "%(err_type)s: %(err_msg)s" % {'err_type': err.exc_type, 'err_msg': err.value} raise exc.HTTPBadRequest(explanation=msg) except UnicodeDecodeError as error: msg = "UnicodeError: %s" % unicode(error) raise exc.HTTPBadRequest(explanation=msg) except (exception.ImageNotActive, exception.FlavorDiskTooSmall, exception.FlavorMemoryTooSmall, exception.InvalidMetadata, exception.InvalidRequest, exception.MultiplePortsNotApplicable, exception.NetworkNotFound, exception.PortNotFound, exception.SecurityGroupNotFound, exception.InvalidBDM, exception.InstanceUserDataMalformed) as error: raise exc.HTTPBadRequest(explanation=error.format_message()) except (exception.PortInUse, exception.NoUniqueMatch) as error: raise exc.HTTPConflict(explanation=error.format_message()) # If the caller wanted a reservation_id, return it if ret_resv_id: return wsgi.ResponseObject({'reservation_id': resv_id}, xml=ServerMultipleCreateTemplate) req.cache_db_instances(instances) server = self._view_builder.create(req, instances[0]) if CONF.enable_instance_password: server['server']['adminPass'] = password robj = wsgi.ResponseObject(server) return self._add_location(robj)

@wsgi.response(202) def create(self, req, body): """Creates a new server for a given user.""" if not self.is_valid_body(body, 'server'): raise exc.HTTPBadRequest(_("The request body is invalid")) context = req.environ['nova.context'] server_dict = body['server'] password = self._get_server_admin_password(server_dict) if 'name' not in server_dict: msg = _("Server name is not defined") raise exc.HTTPBadRequest(explanation=msg) name = server_dict['name'] self._validate_server_name(name) name = name.strip() # Arguments to be passed to instance create function create_kwargs = {} # Query extensions which want to manipulate the keyword # arguments. # NOTE(cyeoh): This is the hook that extensions use # to replace the extension specific code below. # When the extensions are ported this will also result # in some convenience function from this class being # moved to the extension if list(self.create_extension_manager): self.create_extension_manager.map(self._create_extension_point, server_dict, create_kwargs) image_uuid = self._image_from_req_data(server_dict, create_kwargs) # NOTE(cyeoh): Although an extension can set # return_reservation_id in order to request that a reservation # id be returned to the client instead of the newly created # instance information we do not want to pass this parameter # to the compute create call which always returns both. We use # this flag after the instance create call to determine what # to return to the client return_reservation_id = create_kwargs.pop('return_reservation_id', False) requested_networks = None # TODO(cyeoh): bp v3-api-core-as-extensions # Replace with an extension point when the os-networks # extension is ported. Currently reworked # to take into account is_neutron #if (self.ext_mgr.is_loaded('os-networks') # or utils.is_neutron()): # requested_networks = server_dict.get('networks') if utils.is_neutron(): requested_networks = server_dict.get('networks') if requested_networks is not None: requested_networks = self._get_requested_networks( requested_networks) try: flavor_id = self._flavor_id_from_req_data(body) except ValueError as error: msg = _("Invalid flavor_ref provided.") raise exc.HTTPBadRequest(explanation=msg) try: inst_type = flavors.get_flavor_by_flavor_id( flavor_id, ctxt=context, read_deleted="no") (instances, resv_id) = self.compute_api.create(context, inst_type, image_uuid, display_name=name, display_description=name, metadata=server_dict.get('metadata', {}), admin_password=password, requested_networks=requested_networks, **create_kwargs) except (exception.QuotaError, exception.PortLimitExceeded) as error: raise exc.HTTPRequestEntityTooLarge( explanation=error.format_message(), headers={'Retry-After': 0}) except exception.InvalidMetadataSize as error: raise exc.HTTPRequestEntityTooLarge( explanation=error.format_message()) except exception.ImageNotFound as error: msg = _("Can not find requested image") raise exc.HTTPBadRequest(explanation=msg) except exception.FlavorNotFound as error: msg = _("Invalid flavor_ref provided.") raise exc.HTTPBadRequest(explanation=msg) except exception.KeypairNotFound as error: msg = _("Invalid key_name provided.") raise exc.HTTPBadRequest(explanation=msg) except exception.ConfigDriveInvalidValue: msg = _("Invalid config_drive provided.") raise exc.HTTPBadRequest(explanation=msg) except messaging.RemoteError as err: msg = "%(err_type)s: %(err_msg)s" % {'err_type': err.exc_type, 'err_msg': err.value} raise exc.HTTPBadRequest(explanation=msg) except UnicodeDecodeError as error: msg = "UnicodeError: %s" % unicode(error) raise exc.HTTPBadRequest(explanation=msg) except (exception.ImageNotActive, exception.FlavorDiskTooSmall, exception.FlavorMemoryTooSmall, exception.InvalidMetadata, exception.InvalidRequest, exception.MultiplePortsNotApplicable, exception.InstanceUserDataMalformed, exception.PortNotFound, exception.SecurityGroupNotFound, exception.NetworkNotFound) as error: raise exc.HTTPBadRequest(explanation=error.format_message()) except (exception.PortInUse, exception.NoUniqueMatch) as error: raise exc.HTTPConflict(explanation=error.format_message()) # If the caller wanted a reservation_id, return it if return_reservation_id: return wsgi.ResponseObject( {'servers_reservation': {'reservation_id': resv_id}}) req.cache_db_instances(instances) server = self._view_builder.create(req, instances[0]) if CONF.enable_instance_password: server['server']['admin_password'] = password robj = wsgi.ResponseObject(server) return self._add_location(robj)

• Impact of JSON Schema input validation

The JSON Schema input validation abstracts the validation of client supplied input from where it is used. So for example, the JSON schema for the evacuate action looks like:

evacuate = {
    'type': 'object',
    'properties': {
        'evacuate': {
            'type': 'object',
            'properties': {
                'host': parameter_types.hostname,
                'on_shared_storage': parameter_types.boolean,
                'admin_password': parameter_types.admin_password,
            },
            'required': ['host', 'on_shared_storage'],
            'additionalProperties': False,
        },
    },
    'required': ['evacuate'],
    'additionalProperties': False,
}

It clearly defines what parameters are valid, the format of those parameters, which are required and which are optional, and if additional parameters can be supplied. Doing input validation this way also encourages more consistent input validation through shared parameter types rather than API extension specific local regular expressions. Because the validation occurs through a decorator the part of the API which assembles the client supplied data becomes much simpler:

v2 API

v3 API

@wsgi.action('evacuate') def _evacuate(self, req, id, body): """Permit admins to evacuate a server from a failed host to a new one. """ context = req.environ["nova.context"] authorize(context) if not self.is_valid_body(body, "evacuate"): raise exc.HTTPBadRequest(_("Malformed request body")) evacuate_body = body["evacuate"] try: host = evacuate_body["host"] on_shared_storage = strutils.bool_from_string( evacuate_body["onSharedStorage"]) except (TypeError, KeyError): msg = _("host and onSharedStorage must be specified.") raise exc.HTTPBadRequest(explanation=msg) password = None if 'adminPass' in evacuate_body:

@extensions.expected_errors((400, 404, 409)) @wsgi.action('evacuate') @validation.schema(evacuate.evacuate) def _evacuate(self, req, id, body): """Permit admins to evacuate a server from a failed host to a new one. """ context = req.environ["nova.context"] authorize(context) evacuate_body = body["evacuate"] host = evacuate_body["host"] on_shared_storage = strutils.bool_from_string( evacuate_body["on_shared_storage"]) password = None if 'admin_password' in evacuate_body:

Not only is the code simpler for v3, but the input validation is much better compared to v2. And it is significantly easier to review both the API logic and the input validation when they are separated in this way.

• Explicit declaration of what errors may be returned from a method

What error status codes may be returned from a method is explicitly specified via a decorator. This helps address a few problems. The first is that we can now automate the documentation process of what error codes may be returned which will make the documentation more reliable. We also pick up much earlier in the development process Nova exceptions which are unhandled. And I believe the requirement for these to be explicitly specified helps remind both developers and reviewers to think about potential error paths rather than just the normal success paths.

• Ability to whitelist/blacklist plugins

Allows a bit of extra insurance for deployers to ensure that their configuration doesn't accidentally change underneath them when updating Nova. Previously if the plugin loader found anything that looked like a plugin it just loaded it. There is no more explicit control available over what gets loaded and what doesn't.

• Policy checks at API level

Part of the API v3 work has been moving policy checks which have often been done at the db or compute api level to the REST API. This has the benefit of catching permission errors as soon as possible reducing the amount of unwinding of work that needs to be done when policy checks are done at the low level. Not only does it remove ambiguity around what a policy change actually means for people accessing the API it also fixes situations where changing policies for the API is not able to have full effect because of secondary hard-coded admin or policy checks at a lower level.

• More fine-grained extensions

At the request of some deployers, in some cases extensions were split into multiple extensions to allow them to more finely define which API features they want to use.

• Improved unittests

As the input validation and error handling in v3 API has been improved, the unittests coverage for these cases has also been added to ensure we don't accidentally regress.

Long term dual maintenance costs

Measuring the dual maintenance cost and short term solutions

One of the issues from creating the v3 API and the v2 API needing to be supported for a much longer period than the standard 1 cycle deprecation period is the dual maintenance costs. That is, when Nova internal APIs change it may in cases be necessary to make the corresponding changes in the v2 API code, possibly the EC2 API code, and now the v3 API code as well.

The recent objects work is an example where this has occurred. The API layer is in most cases a very thin layer on top of Nova internals and follows the general layout of:

1. Assembling client supplied data and input validation.
2. Call nova internal methods
3. Parse returned data and format it for return to the client or handle exceptions

There are cases where it is more complex than this, but they all follow the general process. So an example of one recent objects patch which required changing both the v2 and v3 API code is converting unrescue to support objects. The diffstat for the patch is:

diff ec78b42d7b7e9da99ba063cccc8a4f6d0aa7c8e5^..ec78b42d7b7e9da99ba063cccc8a4f6d0aa7c8e5 | diffstat
 api/openstack/compute/contrib/rescue.py    |    2 +-
 api/openstack/compute/plugins/v3/rescue.py |    3 ++-
 compute/manager.py                         |   14 +++++++-------
 compute/rpcapi.py                          |   12 ++++++++----
 tests/compute/test_compute.py              |    8 +++++---
 tests/compute/test_rpcapi.py               |    2 +-
 6 files changed, 24 insertions(+), 17 deletions(-)

So changes were required to both the v2 and v3 versions of rescue plugin. The patches to those parts look like:

diff --git a/nova/api/openstack/compute/contrib/rescue.py b/nova/api/openstack/compute/con
index fe31f2c..0233be2 100644
--- a/nova/api/openstack/compute/contrib/rescue.py
+++ b/nova/api/openstack/compute/contrib/rescue.py
@@ -75,7 +75,7 @@ class RescueController(wsgi.Controller):
         """Unrescue an instance."""
         context = req.environ["nova.context"]
         authorize(context)
-        instance = self._get_instance(context, id)
+        instance = self._get_instance(context, id, want_objects=True)
         try:
             self.compute_api.unrescue(context, instance)
         except exception.InstanceInvalidState as state_error:
diff --git a/nova/api/openstack/compute/plugins/v3/rescue.py b/nova/api/openstack/compute/
index 5ae876b..66b4c17 100644
--- a/nova/api/openstack/compute/plugins/v3/rescue.py
+++ b/nova/api/openstack/compute/plugins/v3/rescue.py
@@ -77,7 +77,8 @@ class RescueController(wsgi.Controller):
         """Unrescue an instance."""
         context = req.environ["nova.context"]
         authorize(context)
-        instance = common.get_instance(self.compute_api, context, id)
+        instance = common.get_instance(self.compute_api, context, id,
+                                       want_objects=True)
         try:
             self.compute_api.unrescue(context, instance)
         except exception.InstanceInvalidState as state_error:

The extra dual maintenance burden ends up being an additional one line trivial change amongst a larger patch to change the infrastructure underneath. Though sometimes there are corresponding changes to tests as well. A lot of the changes for objects have been similar but some are more complicated. In those cases we can remove the dual maintenance burden by refactoring to have the v2 and v3 API code call into a common method. This removes the dual maintenance burden for Nova internal API changes.

Long term option 1 (v2.1 based on the v3 codebase)

In order to reduce the dual maintenance costs in the long term and reduce LOC in Nova, one approach would be to implement the v2 API on top of the v3 codebase primarily as decorators. This is much easier to achieve we allow this implementation to have strong input validation as lot of the translation can be done using just JSON schema. See a simple proof of concept patch here https://review.openstack.org/#/c/77105/. Essentially we'd have a v2.1 which is the same as v2 except for strong input validation.

This technique allows us to eventually have one code base for v2 and v3 and at the same time preserve backwards compatibility for v2 as we can translate on both the input and output. It has the significant maintenance advantage of keeping the handling of v2 and v3 API input and output handling separate from each other. Validation testing for this API is fairly straightforward as we have existing tempest and unittests tests for the v2 API and we are only concerned about verifying that correct input behaviour remains the same.

It also provides for a good transition strategy from v2 to v2.1. As the original v2 API code remains untouched we do not risk accidentally changing the semantics of the v2 API code. The only applications which could break in the transition from v2 to v2.1 would be those which are currently misusing the API. The client applications would be able to have a reasonable time period where they can quite easily test/verify against the v2.1 API before v2 is deprecated. And there is quite a strong incentive for doing so because misusing the API is a sign that they may have a bug in their program.

Long term option 2 (Proxy)

This would involve implementing a separate service which essentially translated v2 REST API requests into v3 ones, ensuring that only valid requests are passed to the v2 API and did the inverse when returning data to the caller. It would also have to implement proxying to neutron/cinder/glance where appropriate. Once this is proven as stable, like option 1, the legacy v2 API code could be removed. This would be one way to retain a v2 API with poor input validation but reduce maintenance costs.

Handling API changes in the future

We need to be a lot more careful about API changes in the future and not just consider a change in isolation, but its impact overall to the Nova API. However, I think we have to accept that we will still make mistakes and need a strategy of how we handle that.

Whether we use version headers or url path differences, either are major version revs and I think one of the most important priorities should be to keep our code base clean in the long term and not end up with a growing number of interleaved version tests in the API code. Wherever possible I think we should aim to keep the canonical latest version of the API code clean and separate from code needed to keep legacy API versions supported. As this lowers our long term maintenance costs.

Last edited 2014/03/04 05:52:43 UTC