On Nov 14, 2013, at 12:44 PM, Zane Bitter <zbit...@redhat.com> wrote:
> On 14/11/13 18:51, Randall Burt wrote: >> >> On Nov 14, 2013, at 11:30 AM, Christopher Armstrong >> <chris.armstr...@rackspace.com <mailto:chris.armstr...@rackspace.com>> >> wrote: >> >>> On Thu, Nov 14, 2013 at 11:16 AM, Randall Burt >>> <randall.b...@rackspace.com <mailto:randall.b...@rackspace.com>> wrote: >>> Regarding web hook execution and cool down, I think the response >>> should be something like 307 if the hook is on cool down with an >>> appropriate retry-after header. > > I strongly disagree with this even ignoring the security issue mentioned > below. Being in the cooldown period is NOT an error, and the caller should > absolutely NOT try again later - the request has been received and correctly > acted upon (by doing nothing). But how do I know nothing was done? I may have very good reasons to re-scale outside of ceilometer or other mechanisms and absolutely SHOULD try again later. As it stands, I have no way of knowing that my scaling action didn't happen without examining my physical resources. 307 is a legitimate response in these cases, but I'm certainly open to other suggestions. > >>> Indicating whether a webhook was found or whether it actually executed >>> anything may be an information leak, since webhook URLs require no >>> additional authentication other than knowledge of the URL itself. >>> Responding with only 202 means that people won't be able to guess at >>> random URLs and know when they've found one. >> >> Perhaps, but I also miss important information as a legitimate caller as >> to whether or not my scaling action actually happened or I've been a >> little too aggressive with my curl commands. The fact that I get >> anything other than 404 (which the spec returns if its not a legit hook) >> means I've found *something* and can simply call it endlessly in a loop >> causing havoc. Perhaps the web hooks *should* be authenticated? This >> seems like a pretty large hole to me, especially if I can max someone's >> resources by guessing the right url. > > Web hooks MUST be authenticated. > > cheers, > Zane. > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev