[Hawkular-dev] Tenancy model (was Re: Do not depend on Keycloak anymore)
Juraci Paixão Kröhling
jpkroehling at redhat.com
Mon Apr 18 11:14:23 EDT 2016
On 18.04.2016 16:57, Juraci Paixão Kröhling wrote:
> On 15.04.2016 15:14, Juraci Paixão Kröhling wrote:
>> On 15.04.2016 14:43, Heiko W.Rupp wrote:
>>> Yes, that *may* require a change. Or not if we e.g. have
>>> - accounts-keycloak
>>> - accounts-jaas
>>> where the latter does the mapping as a jaas provider/plugin.
>
> I'm still not convinced why we would need two modules. If we assume that
> Hawkular is similar to a database, in the sense that end users have no
> access to it, then there would be no need for any advanced feature from
> Keycloak. Plain JAAS would suffice.
>
Sent without finishing :)
Another aspect that comes with the removal of the dependency on Keycloak
is surrounding tenancy. We don't have the same requirements as before,
and in the case described above where Hawkular could be seen as a
"database", the tenancy would/should be managed on the user-facing
application.
This means that we'd have a breaking change for components like
Inventory and Metrics, where the tenant is currently the same as the
persona, which in turn is derived from the logged in user (or
organization selected on the account switcher). Not having a tenancy
model anymore means that all users are of the same tenant, so,
components that care about tenancy should be changed.
Note that there are two ways of interpreting "tenancy" here: the first
is about how data is stored, and the second is how data is accessed.
Previously, a tenant would write and read only its own data. Now, tenant
is just another piece of the data, so, components would not actively
check if the data belongs to the current user. We trust that the
user-facing application is performing these checks.
- Juca.
More information about the hawkular-dev
mailing list