[openstack-dev] [Heat] rough draft of Heat autoscaling API
Randall Burt
randall.burt at RACKSPACE.COM
Thu Nov 14 19:00:50 UTC 2013
On Nov 14, 2013, at 12:44 PM, Zane Bitter <zbitter at redhat.com>
wrote:
> On 14/11/13 18:51, Randall Burt wrote:
>>
>> On Nov 14, 2013, at 11:30 AM, Christopher Armstrong
>> <chris.armstrong at rackspace.com <mailto:chris.armstrong at rackspace.com>>
>> wrote:
>>
>>> On Thu, Nov 14, 2013 at 11:16 AM, Randall Burt
>>> <randall.burt at rackspace.com <mailto:randall.burt at rackspace.com>> wrote:
>>> Regarding web hook execution and cool down, I think the response
>>> should be something like 307 if the hook is on cool down with an
>>> appropriate retry-after header.
>
> I strongly disagree with this even ignoring the security issue mentioned below. Being in the cooldown period is NOT an error, and the caller should absolutely NOT try again later - the request has been received and correctly acted upon (by doing nothing).
But how do I know nothing was done? I may have very good reasons to re-scale outside of ceilometer or other mechanisms and absolutely SHOULD try again later. As it stands, I have no way of knowing that my scaling action didn't happen without examining my physical resources. 307 is a legitimate response in these cases, but I'm certainly open to other suggestions.
>
>>> Indicating whether a webhook was found or whether it actually executed
>>> anything may be an information leak, since webhook URLs require no
>>> additional authentication other than knowledge of the URL itself.
>>> Responding with only 202 means that people won't be able to guess at
>>> random URLs and know when they've found one.
>>
>> Perhaps, but I also miss important information as a legitimate caller as
>> to whether or not my scaling action actually happened or I've been a
>> little too aggressive with my curl commands. The fact that I get
>> anything other than 404 (which the spec returns if its not a legit hook)
>> means I've found *something* and can simply call it endlessly in a loop
>> causing havoc. Perhaps the web hooks *should* be authenticated? This
>> seems like a pretty large hole to me, especially if I can max someone's
>> resources by guessing the right url.
>
> Web hooks MUST be authenticated.
>
> cheers,
> Zane.
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list