[Hawkular-dev] Tenant Id - Not Part of URL

John Sanda jsanda at redhat.com
Wed Apr 29 12:28:50 EDT 2015 

Will the REST APIs for other hawkular services take a similar approach? This seems like an area where we want to be consistent across APIs.

> On Apr 28, 2015, at 3:58 PM, Lukas Krejci <lkrejci at redhat.com> wrote:
> 
> How do metrics' tenants fit into the hawkular accounts and its persona concept?
> 
> ----- Original Message -----
>> From: "Stefan Negrea" <snegrea at redhat.com>
>> To: "Discussions" <hawkular-dev at lists.jboss.org>
>> Sent: Tuesday, 28 April, 2015 5:44:56 PM
>> Subject: [Hawkular-dev] Tenant Id - Not Part of URL
>> 
>> Hello Everybody,
>> 
>> I've been working on a PR for the upcoming Hawkular Metrics release that will
>> remove the tenant id from the end-point URLs. The tenant id will be moved to
>> either a header parameter or a query parameter. The query parameter is in
>> place for cases (such as curl) where setting a header is not possible,
>> difficult, or inconvenient.
>> 
>> Here is an example of the change:
>> 
>> Existing URL:
>> /{tenantId}/gauge/{metricId}/data
>> 
>> New URL:
>> /gauge/{metricId}/data
>> 
>> Tenant id set via:
>> 1) header - tenantId
>> 2) query parameter - tenantId
>> 
>> 
>> There are two exceptions to this rule, /tenants and /db/{tenantid}/series.
>> The /tenants end-point will be changed into something different in the
>> upcoming releases since it is mostly a management type API that does not
>> belong in the same place with the regular metrics endpoint. And
>> /db/{tenantid}/series end-point is needed in this exact format for
>> compatibility with Influxdb compatible services.
>> 
>> 
>> Now, to the merits of this change. The tenant id is volatile, can change any
>> time, and changes to it should be expected; but the rest of the URL is
>> fixed. The second issue is that the tenant id is a security concern. So we
>> were limited in design choices since a security concern was leaking as part
>> of the URL.
>> 
>> So removing the tenant id from the URL will give us permanent & consistent
>> addresses for resources (metrics and metric data points). And we will gain a
>> lot of flexibility on the security side. In the future, users could
>> authenticate with a user/pass combo and the backend would transform that
>> into a tenant id to be used on the request. If the same user later decides
>> to use a tenant id to pass along the request, the URL of the resources would
>> not change. Another expectation is that tenant id is not sufficient, it is
>> typically a combo of id + secret; so we would have resorted to a header or
>> query param for the second piece of information (the secret).
>> 
>> This change will give us the flexibility to adjust the security model (the
>> meaning of tenant ids and ways to validate them) without compromising the
>> URL structure. This will help Hawkular Metrics as it gets integrated into
>> more and more projects and products.
>> 
>> Here are the links to the JIRA and the PR for this change:
>> https://github.com/hawkular/hawkular-metrics/pull/202
>> https://issues.jboss.org/browse/HWKMETRICS-68
>> 
>> 
>> 
>> Thank you,
>> Stefan Negrea
>> 
>> Software Engineer
>> 
>> _______________________________________________
>> hawkular-dev mailing list
>> hawkular-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev

More information about the hawkular-dev mailing list