[openstack-dev] [keystone][monasca][congress][senlin][telemetry] authenticated webhook notifications

Thomas Herve therve at redhat.com
Fri May 4 09:36:34 UTC 2018

On Thu, May 3, 2018 at 9:49 PM, Eric K <ekcs.openstack at gmail.com> wrote:
> Question to the projects which send or consume webhook notifications
> (telemetry, monasca, senlin, vitrage, etc.), what are your
> supported/preferred authentication mechanisms? Bearer token (e.g.
> Keystone)? Signing?
> Any pointers to past discussions on the topic? My interest here is having
> Congress consume and send webhook notifications.
> I know some people are working on adding the keystone auth option to
> Monasca's webhook framework. If there is a project that already does it,
> it could be a very helpful reference.


I'll add a few that you didn't mention which consume such webhooks.

 * Heat has been using EC2 signatures basically since forever. It
creates EC2 credentials for a Keystone user, and signs URL that way.
 * Zaqar has signed URLs
which allows sharing queues without authentication.
 * Swift temp URLs
(https://docs.openstack.org/swift/latest/middleware.html#tempurl) is a
good mechanism to share information as well.

I'd say application credentials would make those operations a bit
nicer, but they are not completely there yet. Everybody not
reinventing its own wheel would be nice too :).


More information about the OpenStack-dev mailing list