[openstack-dev] [Heat] rough draft of Heat autoscaling API

Zane Bitter zbitter at redhat.com
Thu Nov 14 18:44:18 UTC 2013

On 14/11/13 18:51, Randall Burt wrote:
> On Nov 14, 2013, at 11:30 AM, Christopher Armstrong
> <chris.armstrong at rackspace.com <mailto:chris.armstrong at rackspace.com>>
>   wrote:
>> On Thu, Nov 14, 2013 at 11:16 AM, Randall Burt
>> <randall.burt at rackspace.com <mailto:randall.burt at rackspace.com>> wrote:
>>     Regarding web hook execution and cool down, I think the response
>>     should be something like 307 if the hook is on cool down with an
>>     appropriate retry-after header.

I strongly disagree with this even ignoring the security issue mentioned 
below. Being in the cooldown period is NOT an error, and the caller 
should absolutely NOT try again later - the request has been received 
and correctly acted upon (by doing nothing).

>> Indicating whether a webhook was found or whether it actually executed
>> anything may be an information leak, since webhook URLs require no
>> additional authentication other than knowledge of the URL itself.
>> Responding with only 202 means that people won't be able to guess at
>> random URLs and know when they've found one.
> Perhaps, but I also miss important information as a legitimate caller as
> to whether or not my scaling action actually happened or I've been a
> little too aggressive with my curl commands. The fact that I get
> anything other than 404 (which the spec returns if its not a legit hook)
> means I've found *something* and can simply call it endlessly in a loop
> causing havoc. Perhaps the web hooks *should* be authenticated? This
> seems like a pretty large hole to me, especially if I can max someone's
> resources by guessing the right url.

Web hooks MUST be authenticated.


More information about the OpenStack-dev mailing list