Implement the initial version of senlin webhook

Registered by Yanyan Hu

Webhook is use to trigger cluster scaling. This blueprint is for the initial version:

Some basic ideas:
1) cluster owner will trust *senlin-admin* user each time a webhook is bonded to the target cluster;
2) *senlin-admin* user will request the cluster action api to trigger the real cluster scaling operation on behalf of the webhook invoker;
3) Webhook itself can be invoked without any credential;

More detail description can be found here:
https://wiki.openstack.org/wiki/Senlin/webhook

Blueprint information

Status:
Complete
Approver:
Qiming Teng
Priority:
High
Drafter:
Yanyan Hu
Direction:
Needs approval
Assignee:
Yanyan Hu
Definition:
Approved
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Qiming Teng
Completed by
Qiming Teng

Related branches

Sprints

Whiteboard

1) cluster owner will trust *senlin-admin* user each time a webhook is bonded to the target cluster;

A webhook encapsulates a tuple <user, entity, action, param>, where:
 - 'user' captures the credentials that can be used for authenticating with Keystone;
 - 'entity' could be a cluster, a node, or a policy
 - 'action' could be any predefined action or even customized action (future extension)
 - 'param' is dependent on the action specified.

So, there is no need to bind/unbind a webook to a cluster. The webhook should already contain all needed info.

I'd suggest naming the shared user as 'senlin' instead of 'senlin-admin'.

One issue to consider is whether and how 'senlin' can be granted trusts from any project. In other words, does Keystone allow us to do a cross-project trust creation?

Yes, keystone allow the cross-project trust.

2) *senlin-admin* user will request the cluster action api to trigger the real cluster scaling operation on behalf of the webhook invoker;

Can we document the workflow here: wiki.openstack.org/Senlin/webhook

3) Webhook itself can be invoked without any credential;

It is a pity that projects such as Ceilometer is not providing appropriate Headers when invoking the webhook alike API (i.e. alarm_url). But that is not our issue at the moment.

Gerrit topic: https://review.openstack.org/#q,topic:senlin-webhook-initial-version,n,z

Addressed by: https://review.openstack.org/167094
    Add webhook table in Senlin DB

Addressed by: https://review.openstack.org/167140
    Initial version - Webhook DB APIs

Addressed by: https://review.openstack.org/169215
    Initial version of webhook class and middleware

Addressed by: https://review.openstack.org/170338
    Use openstacksdk to do authenticate in WebhookMiddleware

Addressed by: https://review.openstack.org/170344
    Add two webhook exceptions

Addressed by: https://review.openstack.org/170420
    Encrypt webhook url

Addressed by: https://review.openstack.org/170423
    Implement webhook services

Addressed by: https://review.openstack.org/171084
    Fix a little bug of webhook

Addressed by: https://review.openstack.org/172359
    Initial version of webhook API

Addressed by: https://review.openstack.org/173194
    Add force param for webhook_delete function

Addressed by: https://review.openstack.org/173245
    Fix two bugs in webhook

Addressed by: https://review.openstack.org/173746
    Implement webhook trigger

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.