← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1480191] Re: User can send 'request-id' from headers to glance api

 

This is as designed, not a bug. If there is attach vectors like possibly
long ID's we should fix them, but not break our API.

** Changed in: glance
       Status: In Progress => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Glance.
https://bugs.launchpad.net/bugs/1480191

Title:
  User can send 'request-id' from headers to glance api

Status in Glance:
  Opinion

Bug description:
  User can send 'X-Openstack-Request-Id' headers while calling any glance api.
  Glance uses this 'X-Openstack-Request-Id' sent from headers for logging and also adds same request-id in response headers.

  User can send any value (long string) as 'X-Openstack-Request-Id' header to glance service,
  because of this log file can get filled with invalid (or long) request-ids.

  IMO glance should not take 'request-id' sent from user, it should
  always create it's own (valid) 'request-id'.

  
  1. curl command to send 'X-Openstack-Request-Id' header image-list api:

  $ curl -g -i -X GET -H 'Accept-Encoding: gzip, deflate' -H 'Accept:
  */*' -H 'Connection: keep-alive' -H 'X-Auth-Token:
  63282e92e8e64be2a89587cfaada3554' -H 'X-Openstack-Request-Id: testing
  --
  aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123456'
  http://10.69.4.173:9292/v2/images?limit=1

  HTTP/1.1 200 OK
  Content-Length: 856
  Content-Type: application/json; charset=UTF-8
  X-Openstack-Request-Id: req-testing--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123456
  Date: Fri, 31 Jul 2015 07:13:39 GMT
  Connection: keep-alive

  {"images": [{"status": "active", "name": "cirros-0.3.4-x86_64-uec",
  "tags": [], "kernel_id": "a03839e1-95db-459c-97d0-711daab55550",
  "container_format": "ami", "created_at": "2015-07-31T07:01:03Z",
  "ramdisk_id": "90c59147-1afe-4ede-b1da-435ab1ef98f6", "disk_format":
  "ami", "updated_at": "2015-07-31T07:01:04Z", "visibility": "public",
  "self": "/v2/images/26b712f3-22a9-45fb-aa8f-f9851d55e71d", "min_disk":
  0, "protected": false, "id": "26b712f3-22a9-45fb-aa8f-f9851d55e71d",
  "size": 25165824, "file": "/v2/images/26b712f3-22a9-45fb-aa8f-
  f9851d55e71d/file", "checksum": "eb9139e4942121f22bbc2afc0400b2a4",
  "owner": "632960b4c18c4257bb404d0047be922c", "virtual_size": null,
  "min_ram": 0, "schema": "/v2/schemas/image"}], "next":
  "/v2/images?marker=26b712f3-22a9-45fb-aa8f-f9851d55e71d&limit=1",
  "schema": "/v2/schemas/images", "first": "/v2/images?limit=1"}

  2. glance-api service logs:

  2015-07-31 00:13:39.612 DEBUG oslo_policy.policy [testing--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123456 bd66b0b7b1c04d738cd5d79c5619fd2d 0d0dc11c6b1649068eb4c4068791a602] Reloaded policy file: /etc/glance/policy.json from (pid=27225) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:436
  2015-07-31 00:13:39.613 DEBUG oslo_policy.policy [testing--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123456 bd66b0b7b1c04d738cd5d79c5619fd2d 0d0dc11c6b1649068eb4c4068791a602] Reloaded policy file: /etc/glance/policy.json from (pid=27225) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:436
  2015-07-31 00:13:39.652 INFO eventlet.wsgi.server [testing--aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123456 bd66b0b7b1c04d738cd5d79c5619fd2d 0d0dc11c6b1649068eb4c4068791a602] 10.69.4.173 - - [31/Jul/2015 00:13:39] "GET /v2/images?limit=1 HTTP/1.1" 200 1161 0.042854

To manage notifications about this bug go to:
https://bugs.launchpad.net/glance/+bug/1480191/+subscriptions


References