Thank you, Zane for the discussion. Point taken about sending webhook notifications.
Primarily I want Congress to consume webhook notifications from the openstack services which already send them (monasca, vitrage, etc.). Most of them do not currently support sending appropriate keystone tokens with the notifications, but some are open to doing it. The aodh and zaqar references are exactly what I was hoping to find. I couldn't find a reference to it in aodh docs or much on google, so many thanks for the pointer! Eric On 5/8/18, 1:20 PM, "Zane Bitter" <zbit...@redhat.com> wrote: >If the caller is something that is basically trusted, then you should >prefer regular keystone auth. If you need to make sure that the caller >can only use that one API, signed URLs are still the only game in town >for now (but we hope this is very temporary). > >> I know some people are working on adding the keystone auth option to >> Monasca's webhook framework. If there is a project that already does it, >> it could be a very helpful reference. > >There's a sort of convention that where you supply a webhook URL with a >scheme trust+https:// then the service creates a keystone trust and uses >that to get keystone tokens which are then used to authenticate the >webhook request. Aodh and Zaqar at least follow this convention. The >trust part is an important point that you're overlooking: (from your >other message) __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev