[aodh][keystone] handling of webhook / alarm authentication

Duc Truong duc.openstack at gmail.com
Fri Jan 10 17:18:05 UTC 2020


Senlin implements unauthenticated webhooks [1] that can be called by
aodh.  The webhook id is a uuid that is generated for each webhook.
When the webhook is created, Senlin creates a keystone trust with the
user to perform actions on their behalf when the webhook is received.

That is probably the easiest way to implement webhooks without
worrying about passing the keystone token context.

[1] https://docs.openstack.org/api-ref/clustering/#trigger-webhook-action

On Fri, Jan 10, 2020 at 4:48 AM info at dantalion.nl <info at dantalion.nl> wrote:
>
> Hi Lingxian,
>
> The information referenced comes from:
> https://docs.openstack.org/aodh/latest/admin/telemetry-alarms.html
>
> Here it would be an alarm that would use the webhooks action. The
> endpoint in our use case would be Watcher for which we have just passed
> a spec: https://review.opendev.org/#/c/695646/
>
> With these alarms that report using a webhook I am wondering how these
> received alarms can be authenticated and if the keystone token context
> is available?
>
> Hope this makes it clearer.
>
> Kind regards,
> Corne Lukken
> Watcher core-reviewer
>
> On 1/10/20 11:44 AM, Lingxian Kong wrote:
> > Hi Corne,
> >
> > I didn't fully understand your question, could you please provide the doc
> > mentioned and if possible, an example of aodh alarm you want to create
> > would be better.
> >
> > -
> > Best regards,
> > Lingxian Kong
> > Catalyst Cloud
> >
> >
> > On Fri, Jan 10, 2020 at 10:30 PM info at dantalion.nl <info at dantalion.nl>
> > wrote:
> >
> >> Hello,
> >>
> >> I was wondering how a service receiving an aodh webhook could perform
> >> authentication?
> >>
> >> The documentation describes the webhook as a simple post-request so I
> >> was wondering if a keystone token context is available when these
> >> requests are received?
> >>
> >> If not, I was wondering if anyone had any recommendation on how to
> >> perform authentication upon received post-requests?
> >>
> >> So far I have come up with limiting the functionality of these webhooks
> >> such as rate-limiting and administrators having to explicitly enable
> >> these webhooks before they work.
> >>
> >> Hope anyone else could provide further valuable information.
> >>
> >> Kind regards,
> >> Corne Lukken
> >> Watcher core-reviewer
> >>
> >>
> >
>



More information about the openstack-discuss mailing list