OpenStack Compute (nova)

Merge lp:~vishvananda/nova/lp692317 into lp:~hudson-openstack/nova/trunk

  1. lp692317
  2. Merge into trunk
Proposed by Vish Ishaya
Status: Merged
Approved by: Vish Ishaya
Approved revision: 471
Merged at revision: 484
Proposed branch: lp:~vishvananda/nova/lp692317
Merge into: lp:~hudson-openstack/nova/trunk
Diff against target: 61 lines (+16/-3)
2 files modified
nova/api/ec2/__init__.py (+7/-1)
nova/api/ec2/metadatarequesthandler.py (+9/-2)
To merge this branch: bzr merge lp:~vishvananda/nova/lp692317
Reviewer Review Type Date Requested Status
Jesse Andrews (community) Approve
Ed Leafe (community) Approve
Devin Carlen (community) Approve
Jay Pipes (community) Needs Information
Review via email: mp+44169@code.launchpad.net

Description of the change

Adds a flag to use the X-Forwarded-For header to find the ip of the remote server. This is needed when you have multiple api servers with a load balancing proxy in front. It is a flag that defaults to False because if you don't have a sanitizing proxy in front, users could masquerade as other ips by passing in the header manually.

To post a comment you must log in.
Revision history for this message
Jay Pipes (jaypipes) wrote :

Should this also be done for the openstack API?

review: Needs Information
Revision history for this message
Vish Ishaya (vishvananda) wrote :

> Should this also be done for the openstack API?

I can't see anywhere where the openstack api is using req.remote_addr. I'm assuming that it is ip agnostic. It is only used in ec2 api for metadata and logging.

Revision history for this message
Devin Carlen (devcamcar) wrote :

Approve, this is apparently not used by openstack API. Seems like openstack API should be making use of this but that is part of a larger problem that should be tracked elsewhere.

review: Approve
lp:~vishvananda/nova/lp692317 updated
471. By Vish Ishaya

merged trunk and fixed conflicts

Revision history for this message
Ed Leafe (ed-leafe) wrote :

Reviewed and approved.

review: Approve
Revision history for this message
Jesse Andrews (anotherjesse) wrote :

lgtm - Agree with Devin.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'nova/api/ec2/__init__.py'
--- nova/api/ec2/__init__.py 2010-12-22 21:17:30 +0000
+++ nova/api/ec2/__init__.py 2010-12-22 21:54:20 +0000
@@ -37,6 +37,9 @@
3737
3838
39FLAGS = flags.FLAGS39FLAGS = flags.FLAGS
40flags.DEFINE_boolean('use_forwarded_for', False,
41 'Treat X-Forwarded-For as the canonical remote address. '
42 'Only enable this if you have a sanitizing proxy.')
40flags.DEFINE_boolean('use_lockout', False,43flags.DEFINE_boolean('use_lockout', False,
41 'Whether or not to use lockout middleware.')44 'Whether or not to use lockout middleware.')
42flags.DEFINE_integer('lockout_attempts', 5,45flags.DEFINE_integer('lockout_attempts', 5,
@@ -144,9 +147,12 @@
144 raise webob.exc.HTTPForbidden()147 raise webob.exc.HTTPForbidden()
145148
146 # Authenticated!149 # Authenticated!
150 remote_address = req.remote_addr
151 if FLAGS.use_forwarded_for:
152 remote_address = req.headers.get('X-Forwarded-For', remote_address)
147 ctxt = context.RequestContext(user=user,153 ctxt = context.RequestContext(user=user,
148 project=project,154 project=project,
149 remote_address=req.remote_addr)155 remote_address=remote_address)
150 req.environ['ec2.context'] = ctxt156 req.environ['ec2.context'] = ctxt
151 return self.application157 return self.application
152158
153159
=== modified file 'nova/api/ec2/metadatarequesthandler.py'
--- nova/api/ec2/metadatarequesthandler.py 2010-12-22 20:59:53 +0000
+++ nova/api/ec2/metadatarequesthandler.py 2010-12-22 21:54:20 +0000
@@ -23,9 +23,13 @@
23import webob.dec23import webob.dec
24import webob.exc24import webob.exc
2525
26from nova import flags
26from nova.api.ec2 import cloud27from nova.api.ec2 import cloud
2728
2829
30FLAGS = flags.FLAGS
31
32
29class MetadataRequestHandler(object):33class MetadataRequestHandler(object):
30 """Serve metadata from the EC2 API."""34 """Serve metadata from the EC2 API."""
3135
@@ -63,10 +67,13 @@
63 @webob.dec.wsgify67 @webob.dec.wsgify
64 def __call__(self, req):68 def __call__(self, req):
65 cc = cloud.CloudController()69 cc = cloud.CloudController()
66 meta_data = cc.get_metadata(req.remote_addr)70 remote_address = req.remote_addr
71 if FLAGS.use_forwarded_for:
72 remote_address = req.headers.get('X-Forwarded-For', remote_address)
73 meta_data = cc.get_metadata(remote_address)
67 if meta_data is None:74 if meta_data is None:
68 logging.error(_('Failed to get metadata for ip: %s') %75 logging.error(_('Failed to get metadata for ip: %s') %
69 req.remote_addr)76 remote_address)
70 raise webob.exc.HTTPNotFound()77 raise webob.exc.HTTPNotFound()
71 data = self.lookup(req.path_info, meta_data)78 data = self.lookup(req.path_info, meta_data)
72 if data is None:79 if data is None: