> The idea is that a regular user calling into a service should not > be able to set the request id, but outgoing calls from that service > to other services as part of the same request would.
Yeah, so can anyone explain to me why this is a real problem? If a regular user wanted to be a d*ck and inject a bogus (or worse, I imagine, duplicated) request-id, can any actual harm come out of it? Or does it just cause confusion to the guy reading the logs later? (I'm assuming, of course, that the format will still be validated strictly (req-$UUID) to preclude code injection kind of stuff.) Thanks, Eric (efried) . __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev