[Hawkular-dev] Tenancy model (was Re: Do not depend on Keycloak anymore)
Juraci Paixão Kröhling
jpkroehling at redhat.com
Mon Apr 18 13:27:35 EDT 2016
On 18.04.2016 18:43, Thomas Segismont wrote:
> If we don't check that the authenticated user can only access the data
> he is entitled to read, it's not good. It's protecting your web
> application with client side checks only.
Here's the scenario as I understand it:
jdoe -> Client 1 -> admin1 -> hawkular
jsmith -> Client 1 -> admin1 -> hawkular
jsmith -> Client 2 -> admin2 -> hawkular
On this scheme, an user "jdoe" logs in into "Client 1". This application
uses "admin1" to talk to our Hawkular backend. Our backends have no idea
about tenants, as it will be managed on "client" applications (ie: MiQ).
I think we could/should have a way to isolate data from
"admin1"/"admin2", but those users are not "tenants" in the same sense
as we have today, are they?
As I understand it, "jdoe" and "jsmith" might belong to the same tenant,
but this information is something that is stored inside MiQ, so, not
handled by our backend. Our provider (Ruby gem), however, will have
access to this information.
- Juca.
More information about the hawkular-dev
mailing list