Action authentication and visibility

Registered by Stan Lagun

Currently in order to call an action caller need to have a valid Keystone token or trust. Is is not always possible for cases where 3rd party system is supposed to be such caller

There can be a 3 types of authentication for application actions:
1) Public actions. Anybody can call them. No authentication required. Usually those are the actions without side effect, but if they do they do that on environment owner behalf
2) Actions that require authentication and could be invoked from both Murano UI/CLI (considering user has valid OpenStack credentials) and automation systems that cannot authenticate to Keystone
3) Actions that are supposed to be called from automation systems only

As an application developer I'd like to have control over authentication type for my actions

As an application developer I want to be able to obtain pre-authenticated HTTP endpoint for my action that I could provide to 3rd party system so that it could call particular authenticated action without having a valid Keysone token

As a Murano user I'd like to be able to manually get pre-authenticated endpoint for any action visible in dashboard.

Pre-authenticated endpoint is an URI that contains one-time secret embedded inside. Such endpoint is obtained for particular action on particular object in particular environment. Anyone having such endpoint can do a POST to it to invoke authenticated action that this endpoint for on behalf of the user who issued it. Such endpoints should be kept in secret and could be revoked by the system administrator.

Secret part of the endpoint should either include signed Keystone trust to perform the action on user's behalf alongside with action name, object and environment ID or a database ID of a record where Murano API could obtain this information.

There should be a way to get such endpoint both externally (from Murano API using UI or CLI) and internally (from MuranoPL code)

There should be a way to control if action is visible in dashboard or no as well if action requires authentication or no. Actions that do require authentication and externally visible could be invoked using both keystone token endpoint and pre-authenticated endpoint while hidden actions can be called only by those who have pre-authenticated endpoint (or hidden public endpoint for hidden actions that do not require authentication).

Action endpoints may also carry fixed subset of action argument values.

Blueprint information

Not started
Serg Melikyan
Stan Lagun
Needs approval
Series goal:
Accepted for mitaka
Milestone target:

Related branches




Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.