[Hawkular-dev] Tenant no longer in URL in the upcoming Inventory 0.1.0

Lukas Krejci lkrejci at redhat.com
Fri Jun 12 10:02:52 EDT 2015 

On Thursday, June 11, 2015 13:18:43 Stefan Negrea wrote:
> Hello,
> 
> I hope we standardize on Hawkular-Tenant at service level. The concept of
> the persona is narrow and accounts specific. While we are mapping now
> personas to tenants that could change in the future.
> 
> Also, the concepts of tenant and multi-tenancy are easier to document and
> understand by external consumers. If/when the individual services are
> decoupled and consumed by other projects or independently, there is no
> extra documentation needed to explain the multi-tenant capability.
> 
> 

I actually hope for quite the opposite ;) I hope we standardize on Hawkular 
Accounts providing auth and (help with) authz and the rest of the components 
using that info. Alerts and Inventory already do that. I hope Metrics will 
join soon.

You are right that "Hawkular-Persona" is a header that "suggests" 
authentication rather than multi-tenancy, but that's exactly how it is used in 
inventory and alerts - we use accounts primarily for authentication.

The fact that tenant = persona is not really that important and in fact if we 
decide in the future that tenant != persona, we might introduce another 
header, Hawkular-Tenant most probably, that will override the behavior we 
currently support by equating the auth and multi-tenancy (which btw. makes a 
lot of sense, at least for now).

Metrics currently does not offer any form of authentication as far as I am 
aware, so an important part of the multi-tenancy picture is missing from it.

IMHO the situation in inventory and alerts is much better now in that regard - 
we delegate the tenant creation/updates, permission grants, etc. to accounts, 
let it figure out what the user performing a request is in any way it chooses 
(basic auth, oauth, optionally override default persona with the Hawkular-
Persona header, if deemed necessary) and use that to perform security checks.

As a user of the current Hawkular I would find it weird to have to specify my 
creds/token, potentially a persona overriding header AND a tenant header if, 
as it is right now, the tenant id and the persona id would always be the same.

I know that metrics are special and have to function outside of Hawkular, too, 
but when inside Hawkular, IMHO, they should blend in and not require special 
treatment - most of all when applying security.

If you figure out a way of blending in Hawkular AND functioning on your own 
nicely, it'd be nice if the rest of us could reuse that solution. But at least 
for inventory, there is not direct requirement to run outside of Hawkular.

> Thank you,
> Stefan
> 
> ----- Original Message -----
> 
> > From: "John Mazzitelli" <mazz at redhat.com>
> > To: "Discussions around Hawkular development"
> > <hawkular-dev at lists.jboss.org> Sent: Thursday, June 11, 2015 9:26:59 AM
> > Subject: Re: [Hawkular-dev] Tenant no longer in URL in the upcoming
> > Inventory	0.1.0
> > 
> > I thought it was Hawkular-Tenant, not Hawkular-Persona.
> > 
> > I used Hawkular-Tenant header name in my changes to support metrics 0.3.5
> > 
> > The name "Hawkular-Persona" is a new one to me.
> > 
> > ----- Original Message -----
> > 
> > > Hi all,
> > > 
> > > I just wanted to let you know about the breaking change in the upcoming
> > > Inventory 0.1.0.
> > > 
> > > Following the suite of metrics, inventory will no longer support the
> > > tenantID
> > > in the URL and will solely rely on Hawkular accounts to hand it the
> > > tenantID
> > > to use - i.e. it will be the tenant of the currently logged in user or
> > > of
> > > the
> > > persona passed in using the "Hawkular-Persona" header.
> > > 
> > > Cheers,
> > > 
> > > Lukas
> > > 
> > > _______________________________________________
> > > hawkular-dev mailing list
> > > hawkular-dev at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> > 
> > _______________________________________________
> > hawkular-dev mailing list
> > hawkular-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev

More information about the hawkular-dev mailing list