Limited condutor api
This wiki page is created specially for design summit session at http://junodesignsummit.sched.org/event/2cc6b4e6c2569394855f2699f8f078b7#.U2J4ufldWrQ . It's not intended to be a blueprint, although it can be a base for future BP.
Unprivileged Compute node is a big topic, and this page focus mostly on DB access.
Scenario and Issue
Currently compute node has unlimited access to DB with the conductor, either directly using conductor API or through NovaObject. With this privilege, a compute node can modify any DB table, like delete any instance hosted by other compute node, change the service status etc.
This is a security issue if the compute node service is running at the same environment as the server, considering an escaped server can control the whole host environment.
Goal
The goal is to enhance conductor, or the NovaObject, to have access control for the compute node. A compute node can only access relevant DB table/row.
For example, a compute node can only update the single corresponding row in compute_node table, or a compute node can only update instance table row if the instance is hosted on the compute node.
Design
To achieve the access control to the compute node,