[openstack-dev] [nova] [glance] [cinder] [neutron] [keystone] - RFC cross project request id tracking

Sean Dague sean at dague.net
Mon May 15 12:38:52 UTC 2017

On 05/15/2017 08:16 AM, Lance Bragstad wrote:
> On Mon, May 15, 2017 at 6:20 AM, Sean Dague <sean at dague.net
> <mailto:sean at dague.net>> wrote:
>     On 05/15/2017 05:59 AM, Andrey Volkov wrote:
>     >
>     >> The last time this came up, some people were concerned that trusting
>     >> request-id on the wire was concerning to them because it's coming from
>     >> random users.
>     >
>     > TBH I don't see the reason why a validated request-id value can't be
>     > logged on a callee service side, probably because I missed some previous
>     > context. Could you please give an example of such concerns?
>     >
>     > With service user I see two blocks:
>     > - A callee service needs to know if it's "special" user or not.
>     > - Until all services don't use a service user we'll not get the complete trace.
>     That is doable, but then you need to build special tools to generate
>     even basic flows. It means that the Elastic Search use case (where
>     plopping in a request id shows you things across services) does not
>     work. Because the child flows don't have the new id.
>     It's also fine to *also* cross log the child/callee request idea on the
>     parent/caller, but it's not actually going to be sufficiently useful to
>     most people.
> +1
> To me it makes sense to supply the override so that a single request-id
> can track multiple operations across services. But I'm struggling to
> find a case where passing a list(global_request_id, local_request_id) is
> useful. This might be something we can elaborate on later, if we find a
> use case for including multiple request-ids.

I'm not sure I understand the question... so perhaps some examples

The theory is, say you kick off a Nova server build, you'll see
something like:

2017 May 15 nova-api [req-0001-2222-3333-4444444444444
req-0001-2222-3333-4444444444444 my_project my_user]
2017 May 15 nova-compute [req-0001-2222-3333-4444444444444
req-0001-2222-3333-4444444444444 my_project my_user]

Then when calling into glance for image download nova would pass in
X-OpenStack-Request-ID: req-0001-2222-3333-4444444444444, so that in the
glance logs you'd see:

2017 May 15 glance-api [req-0001-2222-3333-4444444444444
req-aef2-5555-6666-7777777777777 my_project my_user]

The second id is locally generated during the inbound request. If no
global id is sent (or we decide later that the caller was not
sufficiently trusted), the global id will be set to the local id.


Sean Dague

More information about the OpenStack-dev mailing list