[openstack-dev] [nova] [glance] [cinder] [neutron] [keystone] - RFC cross project request id tracking

Sean Dague sean at dague.net
Tue May 16 15:48:54 UTC 2017

On 05/16/2017 11:28 AM, Eric Fried wrote:
>> The idea is that a regular user calling into a service should not
>> be able to set the request id, but outgoing calls from that service
>> to other services as part of the same request would.
> Yeah, so can anyone explain to me why this is a real problem?  If a
> regular user wanted to be a d*ck and inject a bogus (or worse, I
> imagine, duplicated) request-id, can any actual harm come out of it?  Or
> does it just cause confusion to the guy reading the logs later?
> (I'm assuming, of course, that the format will still be validated
> strictly (req-$UUID) to preclude code injection kind of stuff.)

Honestly, I don't know. I know it was once a concern. I'm totally happy
to remove the trust checking knowing we could add it back in later if

Maybe reach out to some public cloud providers to know if they have any
issues with it?


Sean Dague

More information about the OpenStack-dev mailing list