+++ This bug was initially created as a clone of Bug #1466129 +++ Description of problem: Currently, there's no way to ascertain the identity/validity of a webhook requests sent by gluster-eventsd. If a Header was added that contains an HMAC token generated using content and secret key, this would ensure that server can validate the request is genuine before processing the event. --- Additional comment from Aravinda VK on 2017-09-27 00:54:42 EDT --- As discussed over IRC, Events API will implement JWT(JSON Web Tokens). Additional argument will be added to webhook-add command to accept the secret which is required to generate JWT. gluster-eventsapi webhook-add <url> [-t <TOKEN>] \ [--secret <SECRET>] For shared secret approach use, `--secret` and for shared token approach use `--token`. With `-t` argument, Token header will be added as is. Authorization: Bearer <TOKEN> In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header. Authorization: Bearer <GENERATED_TOKEN> Secret/Token can be updated using `webhook-mod` command. Generated token will include the following payload, { "iss": "gluster", "exp": EXPIRY_TIME, "sub": EVENT_TYPE, "iat": EVENT_TIME } Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time
REVIEW: https://review.gluster.org/18405 (eventsapi: Add JWT signing support) posted (#1) for review on master by Aravinda VK (avishwan)
COMMIT: https://review.gluster.org/18405 committed in master by Aravinda VK (avishwan) ------ commit add7116efa1f31e86f9c00c72c71872b1161370f Author: Aravinda VK <avishwan> Date: Mon Sep 18 14:34:54 2017 +0530 eventsapi: Add JWT signing support New argument added to accept secret to generate JWT token. This patch does not affect the backward compatibility. Usage: gluster-eventsapi webhook-add <url> [-t <TOKEN>] \ [-s SECRET] With `--token` argument, Token header will be added as is. Authorization: Bearer <TOKEN> In case of shared secret, Gluster will generate JWT token using the secret and then add it to Authorization header. Authorization: Bearer <GENERATED_TOKEN> Secret/Token can be updated using `webhook-mod` command. Generated token will include the following payload, { "iss": "gluster", "exp": EXPIRY_TIME, "sub": EVENT_TYPE, "iat": EVENT_TIME } Where: iss - Issuer, exp - Expiry Time, sub - Event Type used as Subject, iat - Event Time used as Issue Time BUG: 1496363 Change-Id: Ib6b6fab23fb212d7f5e9bbc9e1416a9e9813ab1b Signed-off-by: Aravinda VK <avishwan>
This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-3.13.0, please open a new bug report. glusterfs-3.13.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://lists.gluster.org/pipermail/announce/2017-December/000087.html [2] https://www.gluster.org/pipermail/gluster-users/