[aodh][keystone] handling of webhook / alarm authentication
Hello, I was wondering how a service receiving an aodh webhook could perform authentication? The documentation describes the webhook as a simple post-request so I was wondering if a keystone token context is available when these requests are received? If not, I was wondering if anyone had any recommendation on how to perform authentication upon received post-requests? So far I have come up with limiting the functionality of these webhooks such as rate-limiting and administrators having to explicitly enable these webhooks before they work. Hope anyone else could provide further valuable information. Kind regards, Corne Lukken Watcher core-reviewer
Hi Corne, I didn't fully understand your question, could you please provide the doc mentioned and if possible, an example of aodh alarm you want to create would be better. - Best regards, Lingxian Kong Catalyst Cloud On Fri, Jan 10, 2020 at 10:30 PM info@dantalion.nl <info@dantalion.nl> wrote:
Hello,
I was wondering how a service receiving an aodh webhook could perform authentication?
The documentation describes the webhook as a simple post-request so I was wondering if a keystone token context is available when these requests are received?
If not, I was wondering if anyone had any recommendation on how to perform authentication upon received post-requests?
So far I have come up with limiting the functionality of these webhooks such as rate-limiting and administrators having to explicitly enable these webhooks before they work.
Hope anyone else could provide further valuable information.
Kind regards, Corne Lukken Watcher core-reviewer
Hi Lingxian, The information referenced comes from: https://docs.openstack.org/aodh/latest/admin/telemetry-alarms.html Here it would be an alarm that would use the webhooks action. The endpoint in our use case would be Watcher for which we have just passed a spec: https://review.opendev.org/#/c/695646/ With these alarms that report using a webhook I am wondering how these received alarms can be authenticated and if the keystone token context is available? Hope this makes it clearer. Kind regards, Corne Lukken Watcher core-reviewer On 1/10/20 11:44 AM, Lingxian Kong wrote:
Hi Corne,
I didn't fully understand your question, could you please provide the doc mentioned and if possible, an example of aodh alarm you want to create would be better.
- Best regards, Lingxian Kong Catalyst Cloud
On Fri, Jan 10, 2020 at 10:30 PM info@dantalion.nl <info@dantalion.nl> wrote:
Hello,
I was wondering how a service receiving an aodh webhook could perform authentication?
The documentation describes the webhook as a simple post-request so I was wondering if a keystone token context is available when these requests are received?
If not, I was wondering if anyone had any recommendation on how to perform authentication upon received post-requests?
So far I have come up with limiting the functionality of these webhooks such as rate-limiting and administrators having to explicitly enable these webhooks before they work.
Hope anyone else could provide further valuable information.
Kind regards, Corne Lukken Watcher core-reviewer
Senlin implements unauthenticated webhooks [1] that can be called by aodh. The webhook id is a uuid that is generated for each webhook. When the webhook is created, Senlin creates a keystone trust with the user to perform actions on their behalf when the webhook is received. That is probably the easiest way to implement webhooks without worrying about passing the keystone token context. [1] https://docs.openstack.org/api-ref/clustering/#trigger-webhook-action On Fri, Jan 10, 2020 at 4:48 AM info@dantalion.nl <info@dantalion.nl> wrote:
Hi Lingxian,
The information referenced comes from: https://docs.openstack.org/aodh/latest/admin/telemetry-alarms.html
Here it would be an alarm that would use the webhooks action. The endpoint in our use case would be Watcher for which we have just passed a spec: https://review.opendev.org/#/c/695646/
With these alarms that report using a webhook I am wondering how these received alarms can be authenticated and if the keystone token context is available?
Hope this makes it clearer.
Kind regards, Corne Lukken Watcher core-reviewer
On 1/10/20 11:44 AM, Lingxian Kong wrote:
Hi Corne,
I didn't fully understand your question, could you please provide the doc mentioned and if possible, an example of aodh alarm you want to create would be better.
- Best regards, Lingxian Kong Catalyst Cloud
On Fri, Jan 10, 2020 at 10:30 PM info@dantalion.nl <info@dantalion.nl> wrote:
Hello,
I was wondering how a service receiving an aodh webhook could perform authentication?
The documentation describes the webhook as a simple post-request so I was wondering if a keystone token context is available when these requests are received?
If not, I was wondering if anyone had any recommendation on how to perform authentication upon received post-requests?
So far I have come up with limiting the functionality of these webhooks such as rate-limiting and administrators having to explicitly enable these webhooks before they work.
Hope anyone else could provide further valuable information.
Kind regards, Corne Lukken Watcher core-reviewer
On Sat, Jan 11, 2020 at 1:47 AM info@dantalion.nl <info@dantalion.nl> wrote:
With these alarms that report using a webhook I am wondering how these received alarms can be authenticated and if the keystone token context is available?
Aodh supports to create an alarm with actions such as 'trust+http://<URL>', once the alarm is triggered, the URL service will receive POST request with 'X-Auth-Token' in the headers and alarm information in the body. - Best regards, Lingxian Kong Catalyst Cloud
participants (3)
-
Duc Truong
-
info@dantalion.nl
-
Lingxian Kong