[Hawkular-dev] Tenant no longer in URL in the upcoming Inventory 0.1.0
Juraci Paixão Kröhling
jpkroehling at redhat.com
Tue Jun 16 05:06:57 EDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 06/15/2015 04:45 PM, John Sanda wrote:
> Why and to whom would components be providing auth info? My
> understanding is that we will eventually have the security filter
> through which all requests are routed. That filter will handle
> authentication/authorization so that when a request does reach the
> component endpoint, we can assume authentication/authorization
> have already been taken care of.
As it is right now, Accounts provides an API for permission checking,
so, individual components can check if the current "persona" has the
required permissions to perform the operation on the "resource". More
about it can be found on the documentation:
http://www.hawkular.org/docs/dev/accounts.html
There's a JIRA for supporting security-by-annotations, but it's not
something that's on top of my queue right now.
> I think this conflate the two, separate concerns. As the user I
> should not have to know or care about the existence of other
> tenants. From my perspective there is my tenant and that’s it.
> There might be other tenants, but that should not be a concern to
> me as it related to authentication and authorization. For example,
> in a future version suppose we decide to completely replace our
> authentication/authorization model with something else. That should
> not (at least in theory) change multi tenancy.
That's not how we defined it. An user can (and potentially will)
belong to more than one organization, so, an user might belong and
"act-as" different organizations, effectively being different "personas"
.
So, while I have only one registered account, I might be sending
requests as different personas.
> Other than configuring/applying the filter, I do not envision
> metrics, nor any other component for that matter, doing
> authorization. That is the responsibility of accounts.
Quite the opposite. Authentication is done 100% by Accounts,
Authorizations is done by the individual components, with the tools
provided by Accounts.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVf+cxAAoJECKM1e+fkPrXpYAH/1KCMgKr5N8p2qc15Dve3pyO
Sa4bC5+XdztY4wXb9jHGUqQYgrqjyeAiMnOaL++sIzqEUdw3OQC1XbDrb5GHP/NW
qMulkoZjRZgjMGLVZ4bZGunMzc3t0gDyJ5l5w9GwQp7c8NMWPMRuAak3PGP3XZg4
wg+1/J+2AnFCgIo2QY46FZFHeO/Nt54nkSWFpdorBpzX6wIMSlYwzMptCKMv5+Su
ri8QjKz1vOnBFs+2wEfAbZQg8iyiUtQ4iTMlTv9xFxqqAj702vrhjvetMmqsuPR/
d7p/Qa7zqFNBi52AIoQmvBvyyPDlhACwkyClw0hM1COiaDOC3vUQN3yCt150laY=
=ASGv
-----END PGP SIGNATURE-----
More information about the hawkular-dev
mailing list