On 14/11/13 18:51, Randall Burt wrote:
On Nov 14, 2013, at 11:30 AM, Christopher Armstrong
<chris.armstr...@rackspace.com <mailto:chris.armstr...@rackspace.com>>
wrote:
On Thu, Nov 14, 2013 at 11:16 AM, Randall Burt
<randall.b...@rackspace.com <mailto:randall.b...@rackspace.com>> wrote:
Regarding web hook execution and cool down, I think the response
should be something like 307 if the hook is on cool down with an
appropriate retry-after header.
I strongly disagree with this even ignoring the security issue mentioned
below. Being in the cooldown period is NOT an error, and the caller
should absolutely NOT try again later - the request has been received
and correctly acted upon (by doing nothing).
Indicating whether a webhook was found or whether it actually executed
anything may be an information leak, since webhook URLs require no
additional authentication other than knowledge of the URL itself.
Responding with only 202 means that people won't be able to guess at
random URLs and know when they've found one.
Perhaps, but I also miss important information as a legitimate caller as
to whether or not my scaling action actually happened or I've been a
little too aggressive with my curl commands. The fact that I get
anything other than 404 (which the spec returns if its not a legit hook)
means I've found *something* and can simply call it endlessly in a loop
causing havoc. Perhaps the web hooks *should* be authenticated? This
seems like a pretty large hole to me, especially if I can max someone's
resources by guessing the right url.
Web hooks MUST be authenticated.
cheers,
Zane.
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
