[openstack-dev] [keystone][monasca][congress][senlin][telemetry] authenticated webhook notifications

Discussion:

Eric K

2018-05-03 19:49:38 UTC

Question to the projects which send or consume webhook notifications
(telemetry, monasca, senlin, vitrage, etc.), what are your
supported/preferred authentication mechanisms? Bearer token (e.g.
Keystone)? Signing?

Any pointers to past discussions on the topic? My interest here is having
Congress consume and send webhook notifications.

I know some people are working on adding the keystone auth option to
Monasca's webhook framework. If there is a project that already does it,
it could be a very helpful reference.

Thanks very much!

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/li

Bedyk, Witold

2018-05-04 08:53:58 UTC

Permalink

Hi Eric,

In Monasca use cases sending the token in the request header should be enough, I guess. I'm adding the references to the HipChat [1] and Slack APIs [2] as well as two old blueprints [3, 4].

[1] https://developer.atlassian.com/server/hipchat/about-the-hipchat-rest-api/
[2] https://api.slack.com/web#authentication
[3] https://blueprints.launchpad.net/monasca/+spec/webhook-api-support
[4] https://blueprints.launchpad.net/monasca/+spec/secure-notification-params

Greetings
Witek

P.S. Adding Vitrage to the tags list.

-----Original Message-----
Sent: Donnerstag, 3. Mai 2018 21:50
To: OpenStack Development Mailing List (not for usage questions)
Subject: [openstack-dev] [keystone][monasca][congress][senlin][telemetry]
authenticated webhook notifications
Question to the projects which send or consume webhook notifications
(telemetry, monasca, senlin, vitrage, etc.), what are your
supported/preferred authentication mechanisms? Bearer token (e.g.
Keystone)? Signing?
Any pointers to past discussions on the topic? My interest here is having
Congress consume and send webhook notifications.
I know some people are working on adding the keystone auth option to
Monasca's webhook framework. If there is a project that already does it, it
could be a very helpful reference.

Thomas Herve

2018-05-04 09:36:34 UTC

Permalink

Post by Eric K
Question to the projects which send or consume webhook notifications
(telemetry, monasca, senlin, vitrage, etc.), what are your
supported/preferred authentication mechanisms? Bearer token (e.g.
Keystone)? Signing?
Any pointers to past discussions on the topic? My interest here is having
Congress consume and send webhook notifications.
I know some people are working on adding the keystone auth option to
Monasca's webhook framework. If there is a project that already does it,
it could be a very helpful reference.

Hi,

I'll add a few that you didn't mention which consume such webhooks.

* Heat has been using EC2 signatures basically since forever. It
creates EC2 credentials for a Keystone user, and signs URL that way.
* Zaqar has signed URLs
(https://developer.openstack.org/api-ref/message/#pre-signed-queue)
which allows sharing queues without authentication.
* Swift temp URLs
(https://docs.openstack.org/swift/latest/middleware.html#tempurl) is a
good mechanism to share information as well.

I'd say application credentials would make those operations a bit
nicer, but they are not completely there yet. Everybody not
reinventing its own wheel would be nice too :).

--
Thomas

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mai

Eric K

2018-05-04 23:53:00 UTC

Permalink

Thanks a lot Witold and Thomas!

So it doesn't seem that someone is currently using a keystone token to
authenticate web hook? Is is simply because most of the use cases had
involved services which do not use keystone?

Or is it unsuitable for another reason?

Post by Thomas Herve

Hi,
I'll add a few that you didn't mention which consume such webhooks.
* Heat has been using EC2 signatures basically since forever. It
creates EC2 credentials for a Keystone user, and signs URL that way.
* Zaqar has signed URLs
(https://developer.openstack.org/api-ref/message/#pre-signed-queue)
which allows sharing queues without authentication.
* Swift temp URLs
(https://docs.openstack.org/swift/latest/middleware.html#tempurl) is a
good mechanism to share information as well.
I'd say application credentials would make those operations a bit
nicer, but they are not completely there yet. Everybody not
reinventing its own wheel would be nice too :).
--
Thomas
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-***@lists.openstack.org?subject:unsubscribe
http://lists.openstack

Thomas Herve

2018-05-06 16:30:20 UTC

Permalink

Post by Eric K
Thanks a lot Witold and Thomas!
So it doesn't seem that someone is currently using a keystone token to
authenticate web hook? Is is simply because most of the use cases had
involved services which do not use keystone?
Or is it unsuitable for another reason?

It's fairly impractical for webhooks because

1) Tokens expire fairly quickly.
2) You can't store all the data in the URL, so you need to store the
token and the URL separately.