[Hawkular-dev] how to identify UI clients and which should get responses

[John Mazzitelli]

I'm sending this here because I need the input from several people (specifically Heiko, Juca, and Peter, but others are free to chime in, too).

Right now, the UI sends messages over the websocket to the hawkular server to make request for things. That UI request is immediately authenticated via hawkular-accounts (typically the UI sends the keycloak token that we authentiate). At this point, we put the message on the bus so the message can be routed to the proper kettle instance so the message can be forwarded to the feed over the feed websocket connection. Once the feed processes the request, a response may be sent back (asynchronously from the request) - if a response is sent back from the feed, it goes to the kettle instance via websockets, the kettle puts it on the bus, where the listener processing the UI client responses will take the bus message and forward it to the UI over the websocket. Phew.

OK, my question is - how does the UI identify itself? We need some string identifier so the response message can be targeted to the proper UI client (today, we don't have UI identifiers, so we just send responses to EVERY UI client but only those UI clients connected to the kettle that the feed is connected to - not good in a clustered environment and not good for security purposes - some UIs will be different tenants and shouldn't see these messages).

Here's some use cases to illustrate the problem:

1) I'm logged into the UI using two different browser tabs. In one, I send a "deploy an application" request. Once the response comes back - do I show the response in both tabs? What if I closed the tab that performed the deploy? What should happen?

2) I am logged in kettle #1 as "jdoe" and someone else is logged in kettle #2 as the same "jdoe". I deploy an application. Should that other person get the response that a new app was deployed, too?

3) I am logged into the UI and I deploy an application. I log out (perhaps close the browser) and log back in. Then the deployment finishes and the response comes in - should I get that response (even though its a new browser instance and a new websocket connection?)

The way I am thinking about this is Google Drive. I could be logged into my Google Drive account on any number of browsers or tabs - when I make a change to a document in Drive, that change is immediately reflected in every browser/tab I have open to Google Drive, not just in the browser that made the change. Is this the kind of thing we want? Or do we only want the browser that is making the requests get the responses?

One thing I am thinking is hawkular-accounts gives us some common ID (not the token) that we assign a UI client and that ID floats in all requests and responses. The bad thing about this is we'll never know the UI client ID until they send their first request.

Another thing I am thinking is have it work just like feeds - a feed connects via the URL ws://host/hawkular-command-gateway/feed/<FEED ID>. We could let each UI generate their own id and connect via ws://host/hawkular-command-gateway/ui/<UI ID>. The good thing here is the UI knows its ID immediately (since it generated it) and we know it from the start without even getting an initial message (and we can link it with that websocket session easily). Bad thing is only that UI will be able to get responses - it won't work the "Google Drive way" where a user logged into N browsers will get responses in all N browsers.

Thoughts?