[Hawkular-dev] Tenant Id

Lukas Krejci lkrejci at redhat.com
Tue May 19 17:32:36 EDT 2015 


----- Original Message -----
> From: "Heiko W.Rupp" <hrupp at redhat.com>
> To: "Discussions around Hawkular development" <hawkular-dev at lists.jboss.org>
> Sent: Tuesday, 19 May, 2015 4:11:05 PM
> Subject: Re: [Hawkular-dev] Tenant Id
> 
> Hi,
> 
> as this discussion is going on and the other components need to adapt,
> we need to come to
> an end.
> 
> The preferred form is to have the Tenant id in the header as:
> 
> Hawkular-Tenant: acme.org
> 

Is accounts going to change to this format, too?

As far as I understand it, for us, Persona = Tenant. Accounts currently
gets the persona from the "X-Hawkular-Persona" header.

Also, because orgs and people can be renamed, I think we should not use the
name as the identifier of the tenant, but rather the persona ID
which is an UUID.

> This has been agreed upon by everyone I think and been committed to
> hawkular-metrics yesterday as
> https://issues.jboss.org/browse/HWKMETRICS-86
> 
> Now the question is if we need a fallback in the case a client can not
> supply a
> header.
> Following some discussion here and on irc yesterday, a queryParameter
> (?tenantid=acme.org) seems to be preferred over a matrix parameter.
> 
> Last but not least is the question if we need that fallback at all.
> My litmus test here is always the usage via curl.
> 
> As curl allows to pass headers via -H "Hawkular-tenant: acme.org" I can
> imagine not using a fallback at all.
>

+1
 
> Hawkular itself needs to check if a tenant is provided and otherwise
> reject the request with a
> 403 error code, providing a "missing Hawkular-Tenant" reason phrase.
> While a 403 has a slightly different meaning, a 401 code is not
> applicable, as for a 401 the
> response must indicate a challenge to be met for successful
> authentication.
> 

Hmm, good points... I need to change that in Inv..

> If a tenant header is provided, but does not match a known tenant we
> should probably
> return a 404 not found - I am not sure on this one though. Perhaps a 403
> with different reason
> phrase is even better.
> 

I would argue that this will never gonna happen. As far as I recall, our
mantra is Persona = Tenant, which means that whatever tenant we get is an
authenticated user impersonating as given persona - and for that we should
have a tenant.

In fact, inventory (in HWKINVENT-36) auto-creates such tentants because it
assumes a successful authentication and impersonation is enough of a reason
for the tenant to exist.

> In cases where there is only one default tenant (e.g. metrics running
> standalone), the
> check for the provided tenant can be omitted.
> 
> For fallback / non-fallback I've created a doodle:
> http://doodle.com/extrm4zreh25hhx3
> Please respond until 5/20 EOD
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list