[Openstack-operators] RFC - Global Request Ids
Sean Dague
sean at dague.net
Wed May 17 18:11:59 UTC 2017
On 05/16/2017 12:01 PM, Sean Dague wrote:
> After the forum session on logging, we came up with what we think is an
> approach here for global request ids -
> https://review.openstack.org/#/c/464746/ - it would be great of
> interested operators would confirm this solves their concerns.
>
> There is also an open question. A long standing concern was "trusting"
> the request-id, though I don't really know how that could be exploited
> for anything really bad, and this puts in a system for using service
> users as a signal for trust.
>
> But.... the whole system is a lot easier, and comes together quicker, if
> we don't have that. For especially public cloud users, are there any
> concerns that you have in letting users set Request-Id (assuming you'll
> also still have a 2nd request-id that's service local and acts like
> request-id today)?
FYI, right now CERN and Godaddy expressed that they don't need strong
trust validation on these ids (as long as they are validated to look
like a uuid, so no injection concerns). We've had no people providing
rationale on the original fears around doing that.
So unless I hear something in the next 24 hours we'll update the spec to
drop that part.
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-operators
mailing list