Open Stack

On 11/14/2012 04:50 PM, Eoghan Glynn wrote:
> So here's a random half-formed thought, suppose the nova-compute service
> exposed a public REST API directly for purposes such as these? So that
> diagnostics could be retrieved directly from the nova-compute nodes
> without either involving nova-api or using the internal RPC mechanism.

nova-compute is the least trusted part of nova.  Because of this, we're
doing work to lock it down and isolate it the best we can from the rest
of the system, so that we can limit the potential affects of
compromising a compute node.  This includes removing direct database
access and adding much richer security to the rpc layer.

My concern with adding a REST API directly to compute nodes would be
that it opens up a new interface we have to figure out a security model for.

-- 
Russell Bryant