[openstack-dev] [nova] [glance] [cinder] [neutron] [keystone] - RFC cross project request id tracking
Sean Dague
sean at dague.net
Tue May 16 15:48:54 UTC 2017
On 05/16/2017 11:28 AM, Eric Fried wrote:
>> The idea is that a regular user calling into a service should not
>> be able to set the request id, but outgoing calls from that service
>> to other services as part of the same request would.
>
> Yeah, so can anyone explain to me why this is a real problem? If a
> regular user wanted to be a d*ck and inject a bogus (or worse, I
> imagine, duplicated) request-id, can any actual harm come out of it? Or
> does it just cause confusion to the guy reading the logs later?
>
> (I'm assuming, of course, that the format will still be validated
> strictly (req-$UUID) to preclude code injection kind of stuff.)
Honestly, I don't know. I know it was once a concern. I'm totally happy
to remove the trust checking knowing we could add it back in later if
required.
Maybe reach out to some public cloud providers to know if they have any
issues with it?
-Sean
--
Sean Dague
http://dague.net
More information about the OpenStack-dev
mailing list