[openstack-dev] [Murano] Murano actions authentication and accessability
slagun at mirantis.com
Mon Jan 18 00:38:53 UTC 2016
As many of you know, Murano actions is the Murano way to do something
to applications that are already deployed using simple ReST API. For
example, health monitoring system may trigger an action on high CPU
load so that application could scale itself up.
However there are several obstacles that makes it hard to use actions
for such scenarios:
* There is no way to obtain a URI for the action from within MuranoPL
code. If application wants that health monitoring system to call
Murano back it need to provide it with a URI it could use to signal
the event (i.e. URI of the action).
However applications are not aware of Murano API server endpoint and
other required details which makes it hard to construct such a URI
from MuranoPL. This effectively puts a constraint that the action
caller must be murano-aware which is a rare case yet.
* Even if application manages somehow to provide external system with
an action URI, an attempt to call it will require a valid Keystone
token. It is because action URIs are served by Murano API which
requires it and especially because all changes made to applications
must be authorized. This may be a problem, especially when that
external system is not OpenStack-aware and cannot authenticate to
Recently I submitted a specification for review that addresses those
issues. It can be fond here: . It is not perfect and it adds some
pieces of code to Murano that I wish could be handled by Keystone
alone. However it should solve most of use cases we have today.
I'd like to ask anyone who faced those issues or have an experience in
the field to read and share your feedback on the spec. We need to make
sure that it doesn't have serious flaws and does cover your use cases
before we proceed with implementation.
Thanks for your help!
Principal Software Engineer @ Mirantis
More information about the OpenStack-dev