[Hawkular-dev] Tenant Id
Lukas Krejci
lkrejci at redhat.com
Tue May 19 17:32:36 EDT 2015
----- Original Message -----
> From: "Heiko W.Rupp" <hrupp at redhat.com>
> To: "Discussions around Hawkular development" <hawkular-dev at lists.jboss.org>
> Sent: Tuesday, 19 May, 2015 4:11:05 PM
> Subject: Re: [Hawkular-dev] Tenant Id
>
> Hi,
>
> as this discussion is going on and the other components need to adapt,
> we need to come to
> an end.
>
> The preferred form is to have the Tenant id in the header as:
>
> Hawkular-Tenant: acme.org
>
Is accounts going to change to this format, too?
As far as I understand it, for us, Persona = Tenant. Accounts currently
gets the persona from the "X-Hawkular-Persona" header.
Also, because orgs and people can be renamed, I think we should not use the
name as the identifier of the tenant, but rather the persona ID
which is an UUID.
> This has been agreed upon by everyone I think and been committed to
> hawkular-metrics yesterday as
> https://issues.jboss.org/browse/HWKMETRICS-86
>
> Now the question is if we need a fallback in the case a client can not
> supply a
> header.
> Following some discussion here and on irc yesterday, a queryParameter
> (?tenantid=acme.org) seems to be preferred over a matrix parameter.
>
> Last but not least is the question if we need that fallback at all.
> My litmus test here is always the usage via curl.
>
> As curl allows to pass headers via -H "Hawkular-tenant: acme.org" I can
> imagine not using a fallback at all.
>
+1
> Hawkular itself needs to check if a tenant is provided and otherwise
> reject the request with a
> 403 error code, providing a "missing Hawkular-Tenant" reason phrase.
> While a 403 has a slightly different meaning, a 401 code is not
> applicable, as for a 401 the
> response must indicate a challenge to be met for successful
> authentication.
>
Hmm, good points... I need to change that in Inv..
> If a tenant header is provided, but does not match a known tenant we
> should probably
> return a 404 not found - I am not sure on this one though. Perhaps a 403
> with different reason
> phrase is even better.
>
I would argue that this will never gonna happen. As far as I recall, our
mantra is Persona = Tenant, which means that whatever tenant we get is an
authenticated user impersonating as given persona - and for that we should
have a tenant.
In fact, inventory (in HWKINVENT-36) auto-creates such tentants because it
assumes a successful authentication and impersonation is enough of a reason
for the tenant to exist.
> In cases where there is only one default tenant (e.g. metrics running
> standalone), the
> check for the provided tenant can be omitted.
>
> For fallback / non-fallback I've created a doodle:
> http://doodle.com/extrm4zreh25hhx3
> Please respond until 5/20 EOD
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>
More information about the hawkular-dev
mailing list