[Hawkular-dev] define: tenant

Juraci Paixão Kröhling jpkroehling at redhat.com
Fri Feb 6 07:19:51 EST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/06/2015 12:54 PM, Heiko W.Rupp wrote:
> I think that makes sense and follows the idea of acme.org and
> foo.acme.org, bar.acme.org

Yes. We'll need to take a closer look once it gets ready, to see if
the rules I made up make sense. For instance, are users of
bar.acme.org supposed to access acme.org? Or just users which are
directly assigned to acme.org? This question can be answered later.

>> if this will work, though. I'm starting to work on this right now
>> on a new module (hawkular-accounts).
> 
> Once you have a little bit of it : can you make it publicly
> available? Perhaps including some drawings :)

Sure, I'm almost done with the basics of the backend and should start
with the UI (with hawt.io) this afternoon. Let's see if I have
something to show next week during a water cooler.

>> If an user makes a REST call to retrieve all metrics that he has 
>> access to, I'd expect that he'd receive both metrics for his pet 
>> projects and metrics for organizations he's part of.
> 
> Now suppose that user creates a dashboard with (graphs of) org
> resources and pet resources and shares (=clones + distributes) that
> to another user. I guess the dashboard would then show those pet
> resources in a bad state (no data, or worse).  Or how could we deal
> with that?

Not sure I follow. You mean the case where I share a graph of a
resource of mine with you? I suppose that this graph would have a
unique URL (/graph/{graphId}), and I could create an organization to
share this graph. Would that work? Another solution could be to tell
the user "this unique URL is unsecured, anyone you share this with
will have access, no matter what".

>> The backend *needs* to check if the current user has access to
>> the resource. Other than that, I'd say it's up to the individual 
>> components (alerts, metrics, inventory, ...) what/how they want
>> to expose data to the consumers. For instance, metrics might want
>> to have
> 
> Well, we should try to be consistent?

Absolutely. But in the end, it's a decision of the component itself.
If there's a situation where breaking consistency makes sense, it's
still possible from the auth/authz perspective.

>> the following REST endpoints:
>> 
>> /{owner}/metrics --> all metrics owned by "owner" (organization
>> or user)
>> 
>> /metrics --> all metrics to which the current user has access to
>> 
> The difference between the above is that the first is "org XOR
> user" resources not "union-or"? While the 2nd one is (org || user)
> - right?

Yes, I'd expect metrics to return only the metrics for a specific
owner on the first case, and all metrics in the second case.

- - Juca.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJU1LFnAAoJECKM1e+fkPrXrRMH/3bDZH5vUgMcyC8Yw0ULk57I
O2jimv5GrH/xMEpWke1f4GbSrEnqYeNIfH9etO8bTgWNMerjKiwE/jvcOB0rMvq2
TKQm3JOKAokjPowQVaH8o2oHZeddIWoS6P2P6t6W16SztJh+Yp6wl2pe0jMugpvD
JAiSzZ+mhPsm82ICLaB+430cTi3WXwtW/UQhCVx1IHzddEgZG0NTWCFdMP38QafN
tXnLqkvYct2uF9egDjXpijt64S43ayT3dPKapim6FJsBI4uzLtbrULiRm2XL6agN
Ysj9KZ4f/z0ZFEIGV2rLVXbh5tt8fpZBYmWBd1ftr9ZZX80blBnAerG6d5RA0ts=
=wuu9
-----END PGP SIGNATURE-----

More information about the hawkular-dev mailing list