[Hawkular-dev] Authorization flow
Lucas Ponce
lponce at redhat.com
Mon Feb 9 10:13:40 EST 2015
Hi,
I have read the threads about the tenantId/integration with Keycloak, but I am still having some doubts about the ideal flow.
Please, let me know if my flow is correct:
- We will have users associated by tenants, so a tuple (tenantId, userId) should be unique i.e. (tenantA, userA), (tenantB, userA).
- A tuple (tenantId, userId) will have associated a list of roles (with hierarchy like an organization ?).
- Metrics/Definitions/Resources should be unique by tenant, so our backend should have something like (tenantId, {metricId|resourceId|definitionId}).
- In the APIs, tenantId will be explicit nor implicit.
- Keycloak would be responsible to pass a (tenantId, userId) + roles list to the component/application.
So, my main doubt is about how are we thinking to work with the authorization, I guess that component backend should define some authorization rules based on roles and permissions, right ?
I guess that this part should be more or less shared for all components.
Is there any draft about it ?
Perhaps this question is very early and it can be put on hold for later, but just curious about it, as I would like to think in possible impacts.
Thanks,
Lucas
More information about the hawkular-dev
mailing list