Support connection to arbitrary Openstack clouds

Problem description

Mistral is configured to execute workflows on a specific cloud (VIM (Virtual Infrastructure Manager) in ETSI MANO terms). In order to execute workflows on a different cloud one needs to start a new Mistral instance with the cloud specific configuration. When Mistral is used in standalone mode, this is an undesired overhead and can cause unpredictable resource usage patterns.

This blueprint proposes to extend the workflow execution parameters to make it possible to target a specific cloud without modifying the configuration of the Mistral service.

Use Cases

  • As a tenant, I want to execute the same workflow on different clouds without having to start a new Mistral instance with changed configuration.

Proposed change

Both the Mistral server and command line client are affected.

The ‘execution-create’ functionality should take parameters that describe the target cloud for the execution. The following optional parameters should be added:

  • target_auth_url: auth URL of the target cloud

  • target_auth_token: valid authentication token for the target cloud

  • target_ca_cert: CA cert of target cloud

If both present, these are used to execute the workflow actions. If none are present, then the current legacy operation mode is used, and the preconfigured authentication URL is used in the actions. In any other case the execution creation should fail.

These parameters are stored in the context field of the execution.

The parameters are added as headers to the HTTP API request.

The self authentication of Mistral should be carried out the same way as done currently.

Cron triggers need the admin credentials for the tartget cloud. We do not consider this case in the current proposal.


  • Start mulitple Mistral instances with different settings.

  • This is an inflexible solution for the problem and the setup of the new instances incurs significant administrative overhead.

Data model impact

The change affects the context information of the execution object by including the target auth URL and target token. The context is stored as Json, so this change should not require DB migration.

REST API impact

POST /executions

This method should now accept the new optional target_* parameters according to the specified rules.

Output should not change.

End user impact

The python-mistralclient should accept the following parameters:

  • TARGET_OS_USERNAME: user name on the target cloud

  • TARGET_OS_PASSWORD: password on the target cloud

  • TARGET_OS_TENANT: tenant on the target cloud

  • TARGET_OS_AUTH_URL: keystone URL of the target cloud

  • TARGET_OS_CA_CERT: CA cert of target cloud

The client should authenticate both towards the OS_AUTH_URL and TARGET_OS_AUTH_URL keystones.

Either all or none of these parameters should be set.

Performance Impact


Deployer impact

This change takes effect immediately after deployment.



Primary assignee:

Other contributors:

Work Items

  • Implement the changes in the python-mistralclient

    • Add support for taking new parameters from environment and command line

  • Implement the changes in Mistral

    • Inject auth URI in execution context * Reason: Actions require the target Auth URI * Tasks:

      • Set auth_uri in context either from the TARGET_OS_AUTH_URL header or from CONF.

    • Eliminate admin user for Keystone

      • Reason: Admin credentials should not be required to connect to target cloud.

      • Tasks:

        • Use non-admin Keystone client

        • Use ‘tokens’ API to retrieve service endpoints

    • Use auth URL from context to create service clients

      • Reason: service clients need to connect to target cloud

      • Task:

        • Do as stated above

    • Add new headers to allowed_headers

      • Reason: this feature may be used in the future




  • Execute a Mistral workflow with targeting a different cloud than what is declared in the configuration.

  • Create two simultaneously ran executions of the same mistral workflow targeting different clouds/regions/tenants. Check if both succeed.