After move the DB access from compute node to conductor, compute node have no DB access any more.
However, currently the conductor has no limitation to the DB access when it proxy for compute node. For example, a compute node can update the compute node information for other compute node, can update the migration information, basically it can do everything.
This means a compute node can impact cloud-wide stats, this is not secure considering potential Hypervisor compromise , thus we need enhance nova to limit the compute node DB privilege.
Although the discussion of signing message (https://blueprints.launchpad.net/oslo.messaging/+spec/trusted-messaging) are still on-going in OSLO, but I think it will be benefit if we can discuss what should be done on conductor and compute manager, to limite the DB access from compute node manager. The reasons are:
a) It will not easy to achieve DB access limitation for compute node, early discussion can help us find out the gap and estimate the effort needed.
b) Clarification of the requirement will help us to avoid new code merged that requies global information access from compute node.
c) This can be a usage case for trusted messaging and can provide helpful feedback to that blueprint.
