[Hawkular-dev] Tenant Id - Not Part of URL

Stefan Negrea snegrea at redhat.com
Tue May 12 09:05:30 EDT 2015 

Good proposal, just make sure it is carried over to the query parameter alternative too.


----- Original Message -----
> From: "Thomas Segismont" <tsegismo at redhat.com>
> To: hawkular-dev at lists.jboss.org
> Sent: Tuesday, May 12, 2015 7:36:56 AM
> Subject: Re: [Hawkular-dev] Tenant Id - Not Part of URL
> 
> From IETF:
> ===
> 3.  Recommendations for Creators of New Parameters
> 
>     Creators of new parameters to be used in the context of application
>     protocols:
> 
>     1.  SHOULD assume that all parameters they create might become
>         standardized, public, commonly deployed, or usable across
>         multiple implementations.
> 
>     2.  SHOULD employ meaningful parameter names that they have reason to
>         believe are currently unused.
> 
>     3.  SHOULD NOT prefix their parameter names with "X-" or similar
>         constructs.
> 
>     Note: If the relevant parameter name space has conventions about
>     associating parameter names with those who create them, a parameter
>     name could incorporate the organization's name or primary domain name
>     (see Appendix B for examples).
> ===
> http://tools.ietf.org/html/rfc6648#section-3
> 
> So the header should be something like "Hawkular-Tenant". And shared
> across the individual components.
> 
> I'll file a Metrics JIRA unless someone has a strong objection or better
> name.
> 
> Le 28/04/2015 17:44, Stefan Negrea a écrit :
> > Hello Everybody,
> >
> > I've been working on a PR for the upcoming Hawkular Metrics release that
> > will remove the tenant id from the end-point URLs. The tenant id will be
> > moved to either a header parameter or a query parameter. The query
> > parameter is in place for cases (such as curl) where setting a header is
> > not possible, difficult, or inconvenient.
> >
> > Here is an example of the change:
> >
> > Existing URL:
> > /{tenantId}/gauge/{metricId}/data
> >
> > New URL:
> > /gauge/{metricId}/data
> >
> > Tenant id set via:
> > 1) header - tenantId
> > 2) query parameter - tenantId
> >
> >
> > There are two exceptions to this rule, /tenants and /db/{tenantid}/series.
> > The /tenants end-point will be changed into something different in the
> > upcoming releases since it is mostly a management type API that does not
> > belong in the same place with the regular metrics endpoint. And
> > /db/{tenantid}/series end-point is needed in this exact format for
> > compatibility with Influxdb compatible services.
> >
> >
> > Now, to the merits of this change. The tenant id is volatile, can change
> > any time, and changes to it should be expected; but the rest of the URL is
> > fixed. The second issue is that the tenant id is a security concern. So we
> > were limited in design choices since a security concern was leaking as
> > part of the URL.
> >
> > So removing the tenant id from the URL will give us permanent & consistent
> > addresses for resources (metrics and metric data points). And we will gain
> > a lot of flexibility on the security side. In the future, users could
> > authenticate with a user/pass combo and the backend would transform that
> > into a tenant id to be used on the request. If the same user later decides
> > to use a tenant id to pass along the request, the URL of the resources
> > would not change. Another expectation is that tenant id is not sufficient,
> > it is typically a combo of id + secret; so we would have resorted to a
> > header or query param for the second piece of information (the secret).
> >
> > This change will give us the flexibility to adjust the security model (the
> > meaning of tenant ids and ways to validate them) without compromising the
> > URL structure. This will help Hawkular Metrics as it gets integrated into
> > more and more projects and products.
> >
> > Here are the links to the JIRA and the PR for this change:
> > https://github.com/hawkular/hawkular-metrics/pull/202
> > https://issues.jboss.org/browse/HWKMETRICS-68
> >
> >
> >
> > Thank you,
> > Stefan Negrea
> >
> > Software Engineer
> >
> > _______________________________________________
> > hawkular-dev mailing list
> > hawkular-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/hawkular-dev
> >
> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list