[Hawkular-dev] HAWKULAR-549 Metrics protected by Accounts: next steps

[Thomas Segismont]

Hi everyone,

I have been working on integrating the next version of the Metrics 
component into Hawkular. It's not a trivial version change.

First, a bit of context. Metrics produces different artifacts, each one 
having its own tenant selection, authentication and authorization logic.

# Standalone Metrics

-> Hawkular-Tenant header sets the tenant
-> No authentication, no authorization

# Openshift integration

-> Hawkular-Tenant header sets the tenant
-> Basic Auth (based on htpassword file) or Openshift OAuth
-> Basic auth: no authorization (if you're authenticated, you can query 
any tenant)
-> Openshift OAuth: tenant is verified

# Hawkular integration

-> Authentication and authorization based on Accounts
-> Credentials + optional Hawkular-Persona header set the tenant

It might look confusing but it is necessary to implement the 
requirements of the consumer projects.

That said, here's the list of impacts I could think of (may not be 
exhaustive).

# Grafana over InfluxDB endpoint

Grafana now works with both standalone Metrics and Hawkular
https://issues.jboss.org/browse/HWKMETRICS-343

# Clients which must work with different Metrics artifacts

## Wildfly Agent

Mazz already implemented a switch in the agent
https://issues.jboss.org/browse/HWKAGENT-56

## Ruby, Java and Python clients
## vertx-hawkular-metrics and ptrans
## Hawkular Charts

A switch must be implemented:
- Standalone Metrics: set Hawkular-Tenant header
- Hawkular: Basic Auth + Hawkular Persona (optional)

I'm not sure how we should proceed with Hawkular Charts. Having the 
switch as a directive parameter would not be convenient.

Language clients, vertx SPI and ptrans updates should not be blocking 
with respect to the next Hawkular alpha.

# Clients which must work with Hawkular only

## hawkular-ui-services

We need to remove the Hawkular-Tenant header from the HTTP calls, 
otherwise Metrics will reject the requests as invalid (status 400)
I will send a PR when I'm back (I'm out of office next week).

## Pinger and AvailCreator

Since Pinger and AvailCreator need to work with any tenant, it seems 
impractical to require users to configure all credentials for HTTP Client.

I've created HWKMETRICS-347 Hawkular Component should accept metric 
input from the bus. The PR is sent and ready for review.
https://github.com/hawkular/hawkular-metrics/pull/445

If we agree on the principle of queues for metrics data input coming 
from Hawkular components, then we'll only have to update Pinger and 
AvailCreator so that they use the bus instead of an HTTP client.


I believe it is doable to upgrade Metrics for the next Hawkular alpha, 
but it requires good coordination and a little bit of help :)
In particular, I'm not sure I can come up with a good solution in time 
for Hawkular Charts.

Best regards,
Thomas