[Hawkular-dev] Resourcetype again

Lukas Krejci lkrejci at redhat.com
Wed Jun 10 10:35:35 EDT 2015 

On Tuesday, June 09, 2015 17:47:36 Heiko W.Rupp wrote:
> Hey,
> 
> we have said that we do no longer want the very strict resource types
> that
> we had in RHQ. We also identified that we need resource types to define
> capabilities like metric types with their units etc. The newest addition
> now
> are operations and resource config.
> 
> I believe that for a certain kind of resource - e.g. "WildFly 8.2", that
> "we" manage
> we should not have the agent/feed supply the types, but Hawkular should
> do so.
> A user may still decide to extend that to supply its own data, but we
> need to be
> careful when dealing with it.

This can be the first capability that the agents can declare. Even today, 
nothing prevents anyone with enough permissions to create the resource types a 
priori in the inventory. A glue component could listen on the bus and if it 
sees a new tenant created, it can add the to-be-predefined resource and metric 
types.

We already have a crude "proof-of-concept" of this way of doing things with 
our "TemporaryHacks" class that adds the resource types needed for pinger 
automagically. TemporaryHacks is in the REST API overlay and therefore has 
direct access to the classloader and CDI "environment" of the REST API and 
thus can do this using the low level API calls. 

There is a question whether the glue component should be written in the same 
way as TemporaryHacks - using low level API and circumventing any auth or if 
it should be made a true remote component with the implication that it needs 
to authenticate against inventory's REST API.

IMHO, we will need to figure out how auth will work in the distributed 
scenario anyway - either by for example having some "trusted" interface which 
would not be available externally but could be used by the distributed 
hawkular components or maybe by just really requiring every component having 
controlled access. I am for the latter even if it means more work because it 
will provide the users with the ability to lock down the perms of individual 
components which is good to minimize the impact in case of security breach in 
one of the distributed components.

> 
> For security relevant things we can not let the client/feed just provide
> resource
> type data, as otherwise it is too easy to work around checks.
> 

This could be another agent capability - to support SSO - the auth token would 
flow all the way down from the browser to the agent which would execute the 
operation as the user on the managed resource. Not sure how feasible this is 
but it sounds nice ;)

> For WildFly there are a bunch of RBAC roles [1,2] that need to map to
> what
> we (will) have in Hawkular, which we may define as just what WildFly
> has.

I think we do that - roles in accounts are the same as roles in Wildfly.

> In fact that will be beneficial, as users will already know how WildFly
> RBAC works
> and can apply it to Hawkular. Plus if the user already has its org
> members in
> a central KeyCloak with role mappings, we can hook up to that instance
> and get the mappings "for free".
> 
> Now for operations on WildFly (not only the classic RHQ-operations, but
> also modifying
> resource config), RBAC in WildFly is "hiding" whole sub-trees, but also
> (iiuc) individual attributes
> if you do not have the right role:
> 
> role=SuperUser:
> 
> [standalone at localhost:9990 /] cd /core-service=management/access
> [standalone at localhost:9990 access] ls
> audit          authorization
> 
> role=Monitor:
> 
> [standalone at localhost:9990 /] cd /core-service=management/access
> [standalone at localhost:9990 access] ls
> audit
> 
> With enough privileges it is possible to see the access definitions
> under /core-service=management/access=authorization/constraint=*
> 
> While it is possible for WildFly to obtain the security levels
> (automatically)
> from the WildFly Metadata, we still need to find a good way to add this
> information
> into our resource types, as the UI may need to react to them and not
> show a
> restart button for user that only has the Monitoring role. 

If these constraints are configurable then I think resource type is not the 
right place to have them. IMHO they would better fit into the resources 
themselves.

> In theory we
> could
> just issue the operation with the user perms and see it fail on WildFly
> side, but that
> is certainly not user-friendly and thus not desired.
> 
> For other kinds of resource like Tomcat we probably need to encode the
> roles
> to the best of our knowledge.
> 
>    Heiko
> 
> 
> [1] http://blog.arungupta.me/role-based-access-control-wildfly-8/
> [2] http://www.dzone.com/articles/configuring-rbac-jboss-eap-and
> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev

More information about the hawkular-dev mailing list