[Hawkular-dev] Tenant Id - Not Part of URL

Lukas Krejci lkrejci at redhat.com
Thu Apr 30 05:17:12 EDT 2015 

>From what I understood from the discussions, we essentially hand over all the 
"multitenancy" decisions to accounts which can emulate the tenant separation 
based on orgs (and at the same time support visibility across tenants for SaaS 
operator type of personas).

As such, inventory basically gave up on supporting multitenancy in and of 
itself and rather leaves multitenancy only as an authorization concept.

I can't comment on metrics' need for having a "tenant" if it is not used for 
addressing individual metrics.

On Thursday, April 30, 2015 02:23:09 Thomas Heute wrote:
> Just a note to say that Account integration needs to happen sooner rather
> than later, this is blocker for the MVP due ... last week
> 
> Also let's make sure this is consistent.
>    - All components need to support the same multitenancy model. We may also
> need to adapt it to various places where Hawkular will be used (with
> OpenShift, "standalone", with FeedHenry...) so would help if we can keep
> each service relatively dumb about the model and keep the logic in Account.
> - URL vs Header, I kinda lean toward header, but more importantly we need
> consistency so component leads need to agree on 1 way.
> 
> Thomas
> 
> 
> ----- Original Message -----
> From: "Stefan Negrea" <snegrea at redhat.com>
> To: "Discussions around Hawkular development" <hawkular-dev at lists.jboss.org>
> Sent: Thursday, April 30, 2015 1:12:04 AM
> Subject: Re: [Hawkular-dev] Tenant Id - Not Part of URL
> 
> 
> 
> ----- Original Message -----
> 
> > From: "Lukas Krejci" <lkrejci at redhat.com>
> > To: "Discussions around Hawkular development"
> > <hawkular-dev at lists.jboss.org> Sent: Tuesday, April 28, 2015 2:58:47 PM
> > Subject: Re: [Hawkular-dev] Tenant Id - Not Part of URL
> > 
> > How do metrics' tenants fit into the hawkular accounts and its persona
> > concept?
> 
> This change will get Hawkular Metrics in a position to answer that hard
> question later; no decision needs to be made before the actual integration.
> Hawkular Metrics will never drop the idea of a tenant internally. It is
> essential to the way metrics are partitioned and uniquely identified.
> However, the mapping between external services and internal tenant ids
> should not leak in the URL of a resource. That kind of leak would be
> limiting the design choices for integration. This is a general answer, not
> just for the Hawkular Accounts integration.
> 
> Now, specifically to your question, I see personas to be mapped directly to
> tenant ids. Hawkular Metrics does not need a very complex authorization
> model. Anybody with the right credentials for a tenant id gets access to
> all the metrics for that tenant id. When the integration with Hawkular
> Accounts happens, Metrics would just need to write code to delegate the
> authentication to Hawkular Accounts, obtain the personas details, and then
> map personas to internal tenant ids. And this is done without affecting
> URLs (completely outside of resource addressing).
> 
> 
> Thank you,
> Stefan
> 
> > ----- Original Message -----
> > 
> > > From: "Stefan Negrea" <snegrea at redhat.com>
> > > To: "Discussions" <hawkular-dev at lists.jboss.org>
> > > Sent: Tuesday, 28 April, 2015 5:44:56 PM
> > > Subject: [Hawkular-dev] Tenant Id - Not Part of URL
> > > 
> > > Hello Everybody,
> > > 
> > > I've been working on a PR for the upcoming Hawkular Metrics release that
> > > will
> > > remove the tenant id from the end-point URLs. The tenant id will be
> > > moved
> > > to
> > > either a header parameter or a query parameter. The query parameter is
> > > in
> > > place for cases (such as curl) where setting a header is not possible,
> > > difficult, or inconvenient.
> > > 
> > > Here is an example of the change:
> > > 
> > > Existing URL:
> > > /{tenantId}/gauge/{metricId}/data
> > > 
> > > New URL:
> > > /gauge/{metricId}/data
> > > 
> > > Tenant id set via:
> > > 1) header - tenantId
> > > 2) query parameter - tenantId
> > > 
> > > 
> > > There are two exceptions to this rule, /tenants and
> > > /db/{tenantid}/series.
> > > The /tenants end-point will be changed into something different in the
> > > upcoming releases since it is mostly a management type API that does not
> > > belong in the same place with the regular metrics endpoint. And
> > > /db/{tenantid}/series end-point is needed in this exact format for
> > > compatibility with Influxdb compatible services.
> > > 
> > > 
> > > Now, to the merits of this change. The tenant id is volatile, can change
> > > any
> > > time, and changes to it should be expected; but the rest of the URL is
> > > fixed. The second issue is that the tenant id is a security concern. So
> > > we
> > > were limited in design choices since a security concern was leaking as
> > > part
> > > of the URL.
> > > 
> > > So removing the tenant id from the URL will give us permanent &
> > > consistent
> > > addresses for resources (metrics and metric data points). And we will
> > > gain
> > > a
> > > lot of flexibility on the security side. In the future, users could
> > > authenticate with a user/pass combo and the backend would transform that
> > > into a tenant id to be used on the request. If the same user later
> > > decides
> > > to use a tenant id to pass along the request, the URL of the resources
> > > would
> > > not change. Another expectation is that tenant id is not sufficient, it
> > > is
> > > typically a combo of id + secret; so we would have resorted to a header
> > > or
> > > query param for the second piece of information (the secret).
> > > 
> > > This change will give us the flexibility to adjust the security model
> > > (the
> > > meaning of tenant ids and ways to validate them) without compromising
> > > the
> > > URL structure. This will help Hawkular Metrics as it gets integrated
> > > into
> > > more and more projects and products.
> > > 
> > > Here are the links to the JIRA and the PR for this change:
> > > https://github.com/hawkular/hawkular-metrics/pull/202
> > > https://issues.jboss.org/browse/HWKMETRICS-68
> > > 
> > > 
> > > 
> > > Thank you,
> > > Stefan Negrea
> > > 
> > > Software Engineer
> > > 
> > > _______________________________________________
> > > hawkular-dev mailing list
> > > hawkular-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> > 
> > _______________________________________________
> > hawkular-dev mailing list
> > hawkular-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev

More information about the hawkular-dev mailing list