OpenStack Compute (nova)

Merge lp:~vishvananda/nova/lp692317 into lp:~hudson-openstack/nova/trunk

  1. lp692317
  2. Merge into trunk
Proposed by Vish Ishaya
Status: Merged
Approved by: Vish Ishaya
Approved revision: 471
Merged at revision: 484
Proposed branch: lp:~vishvananda/nova/lp692317
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 61 lines (+16/-3)
2 files modified
nova/api/ec2/__init__.py (+7/-1)
nova/api/ec2/metadatarequesthandler.py (+9/-2)
To merge this branch: bzr merge lp:~vishvananda/nova/lp692317
Reviewer Review Type Date Requested Status
Jesse Andrews (community) Approve
Ed Leafe (community) Approve
Devin Carlen (community) Approve
Jay Pipes (community) Needs Information
Review via email: mp+44169@code.launchpad.net

Description of the change

Adds a flag to use the X-Forwarded-For header to find the ip of the remote server. This is needed when you have multiple api servers with a load balancing proxy in front. It is a flag that defaults to False because if you don't have a sanitizing proxy in front, users could masquerade as other ips by passing in the header manually.

To post a comment you must log in.
Revision history for this message
Jay Pipes (jaypipes) wrote :

Should this also be done for the openstack API?

review: Needs Information
Revision history for this message
Vish Ishaya (vishvananda) wrote :

> Should this also be done for the openstack API?

I can't see anywhere where the openstack api is using req.remote_addr. I'm assuming that it is ip agnostic. It is only used in ec2 api for metadata and logging.

Revision history for this message
Devin Carlen (devcamcar) wrote :

Approve, this is apparently not used by openstack API. Seems like openstack API should be making use of this but that is part of a larger problem that should be tracked elsewhere.

review: Approve
lp:~vishvananda/nova/lp692317 updated
471. By Vish Ishaya

merged trunk and fixed conflicts

Revision history for this message
Ed Leafe (ed-leafe) wrote :

Reviewed and approved.

review: Approve
Revision history for this message
Jesse Andrews (anotherjesse) wrote :

lgtm - Agree with Devin.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'nova/api/ec2/__init__.py'
2--- nova/api/ec2/__init__.py 2010-12-22 21:17:30 +0000
3+++ nova/api/ec2/__init__.py 2010-12-22 21:54:20 +0000
4@@ -37,6 +37,9 @@
5
6
7 FLAGS = flags.FLAGS
8+flags.DEFINE_boolean('use_forwarded_for', False,
9+ 'Treat X-Forwarded-For as the canonical remote address. '
10+ 'Only enable this if you have a sanitizing proxy.')
11 flags.DEFINE_boolean('use_lockout', False,
12 'Whether or not to use lockout middleware.')
13 flags.DEFINE_integer('lockout_attempts', 5,
14@@ -144,9 +147,12 @@
15 raise webob.exc.HTTPForbidden()
16
17 # Authenticated!
18+ remote_address = req.remote_addr
19+ if FLAGS.use_forwarded_for:
20+ remote_address = req.headers.get('X-Forwarded-For', remote_address)
21 ctxt = context.RequestContext(user=user,
22 project=project,
23- remote_address=req.remote_addr)
24+ remote_address=remote_address)
25 req.environ['ec2.context'] = ctxt
26 return self.application
27
28
29=== modified file 'nova/api/ec2/metadatarequesthandler.py'
30--- nova/api/ec2/metadatarequesthandler.py 2010-12-22 20:59:53 +0000
31+++ nova/api/ec2/metadatarequesthandler.py 2010-12-22 21:54:20 +0000
32@@ -23,9 +23,13 @@
33 import webob.dec
34 import webob.exc
35
36+from nova import flags
37 from nova.api.ec2 import cloud
38
39
40+FLAGS = flags.FLAGS
41+
42+
43 class MetadataRequestHandler(object):
44 """Serve metadata from the EC2 API."""
45
46@@ -63,10 +67,13 @@
47 @webob.dec.wsgify
48 def __call__(self, req):
49 cc = cloud.CloudController()
50- meta_data = cc.get_metadata(req.remote_addr)
51+ remote_address = req.remote_addr
52+ if FLAGS.use_forwarded_for:
53+ remote_address = req.headers.get('X-Forwarded-For', remote_address)
54+ meta_data = cc.get_metadata(remote_address)
55 if meta_data is None:
56 logging.error(_('Failed to get metadata for ip: %s') %
57- req.remote_addr)
58+ remote_address)
59 raise webob.exc.HTTPNotFound()
60 data = self.lookup(req.path_info, meta_data)
61 if data is None: