[Hawkular-dev] how to identify UI clients and which should get responses

John Mazzitelli mazz at redhat.com
Fri Sep 18 12:41:55 EDT 2015 

By the way, this is related to: https://issues.jboss.org/browse/HAWKULAR-498

----- Original Message -----
> I'm sending this here because I need the input from several people
> (specifically Heiko, Juca, and Peter, but others are free to chime in, too).
> 
> Right now, the UI sends messages over the websocket to the hawkular server to
> make request for things. That UI request is immediately authenticated via
> hawkular-accounts (typically the UI sends the keycloak token that we
> authentiate). At this point, we put the message on the bus so the message
> can be routed to the proper kettle instance so the message can be forwarded
> to the feed over the feed websocket connection. Once the feed processes the
> request, a response may be sent back (asynchronously from the request) - if
> a response is sent back from the feed, it goes to the kettle instance via
> websockets, the kettle puts it on the bus, where the listener processing the
> UI client responses will take the bus message and forward it to the UI over
> the websocket. Phew.
> 
> OK, my question is - how does the UI identify itself? We need some string
> identifier so the response message can be targeted to the proper UI client
> (today, we don't have UI identifiers, so we just send responses to EVERY UI
> client but only those UI clients connected to the kettle that the feed is
> connected to - not good in a clustered environment and not good for security
> purposes - some UIs will be different tenants and shouldn't see these
> messages).
> 
> Here's some use cases to illustrate the problem:
> 
> 1) I'm logged into the UI using two different browser tabs. In one, I send a
> "deploy an application" request. Once the response comes back - do I show
> the response in both tabs? What if I closed the tab that performed the
> deploy? What should happen?
> 
> 2) I am logged in kettle #1 as "jdoe" and someone else is logged in kettle #2
> as the same "jdoe". I deploy an application. Should that other person get
> the response that a new app was deployed, too?
> 
> 3) I am logged into the UI and I deploy an application. I log out (perhaps
> close the browser) and log back in. Then the deployment finishes and the
> response comes in - should I get that response (even though its a new
> browser instance and a new websocket connection?)
> 
> The way I am thinking about this is Google Drive. I could be logged into my
> Google Drive account on any number of browsers or tabs - when I make a
> change to a document in Drive, that change is immediately reflected in every
> browser/tab I have open to Google Drive, not just in the browser that made
> the change. Is this the kind of thing we want? Or do we only want the
> browser that is making the requests get the responses?
> 
> One thing I am thinking is hawkular-accounts gives us some common ID (not the
> token) that we assign a UI client and that ID floats in all requests and
> responses. The bad thing about this is we'll never know the UI client ID
> until they send their first request.
> 
> Another thing I am thinking is have it work just like feeds - a feed connects
> via the URL ws://host/hawkular-command-gateway/feed/<FEED ID>. We could let
> each UI generate their own id and connect via
> ws://host/hawkular-command-gateway/ui/<UI ID>. The good thing here is the UI
> knows its ID immediately (since it generated it) and we know it from the
> start without even getting an initial message (and we can link it with that
> websocket session easily). Bad thing is only that UI will be able to get
> responses - it won't work the "Google Drive way" where a user logged into N
> browsers will get responses in all N browsers.
> 
> Thoughts?
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list