[openstack-dev] [Heat] rough draft of Heat autoscaling API
chris.armstrong at rackspace.com
Thu Nov 14 18:58:19 UTC 2013
On Thu, Nov 14, 2013 at 10:44 AM, Zane Bitter <zbitter at redhat.com> wrote:
> On 14/11/13 18:51, Randall Burt wrote:
>> On Nov 14, 2013, at 11:30 AM, Christopher Armstrong
>> <chris.armstrong at rackspace.com <mailto:chris.armstrong at rackspace.com>>
>> On Thu, Nov 14, 2013 at 11:16 AM, Randall Burt
>>> <randall.burt at rackspace.com <mailto:randall.burt at rackspace.com>> wrote:
>>> Regarding web hook execution and cool down, I think the response
>>> should be something like 307 if the hook is on cool down with an
>>> appropriate retry-after header.
> I strongly disagree with this even ignoring the security issue mentioned
> below. Being in the cooldown period is NOT an error, and the caller should
> absolutely NOT try again later - the request has been received and
> correctly acted upon (by doing nothing).
Yeah, I think it's fine to just let it always be 202. Also, they don't
actually return 404 when they don't exist -- I had that in an earlier
version of the spec but I thought I deleted it before posting it to this
> Indicating whether a webhook was found or whether it actually executed
>>> anything may be an information leak, since webhook URLs require no
>>> additional authentication other than knowledge of the URL itself.
>>> Responding with only 202 means that people won't be able to guess at
>>> random URLs and know when they've found one.
>> Perhaps, but I also miss important information as a legitimate caller as
>> to whether or not my scaling action actually happened or I've been a
>> little too aggressive with my curl commands. The fact that I get
>> anything other than 404 (which the spec returns if its not a legit hook)
>> means I've found *something* and can simply call it endlessly in a loop
>> causing havoc. Perhaps the web hooks *should* be authenticated? This
>> seems like a pretty large hole to me, especially if I can max someone's
>> resources by guessing the right url.
> Web hooks MUST be authenticated.
Do you mean they should have an X-Auth-Token passed? Or an X-Trust-ID?
The idea was that webhooks are secret (and should generally only be passed
around through automated systems, not with human interaction). This is
usually how webhooks work, and it's actually how they work now in Heat --
even though there's a lot of posturing about signed requests and so forth,
in the end they are literally just secret URLs that give you the capability
to perform some operation (if you have the URL, you don't need anything
else to execute them). I think we should simplify this to to just be a
random revokable blob.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev