[Hawkular-dev] HAWKULAR-549 Metrics protected by Accounts: next steps
Thomas Segismont
tsegismo at redhat.com
Fri Feb 5 16:53:57 EST 2016
Hi everyone,
I have been working on integrating the next version of the Metrics
component into Hawkular. It's not a trivial version change.
First, a bit of context. Metrics produces different artifacts, each one
having its own tenant selection, authentication and authorization logic.
# Standalone Metrics
-> Hawkular-Tenant header sets the tenant
-> No authentication, no authorization
# Openshift integration
-> Hawkular-Tenant header sets the tenant
-> Basic Auth (based on htpassword file) or Openshift OAuth
-> Basic auth: no authorization (if you're authenticated, you can query
any tenant)
-> Openshift OAuth: tenant is verified
# Hawkular integration
-> Authentication and authorization based on Accounts
-> Credentials + optional Hawkular-Persona header set the tenant
It might look confusing but it is necessary to implement the
requirements of the consumer projects.
That said, here's the list of impacts I could think of (may not be
exhaustive).
# Grafana over InfluxDB endpoint
Grafana now works with both standalone Metrics and Hawkular
https://issues.jboss.org/browse/HWKMETRICS-343
# Clients which must work with different Metrics artifacts
## Wildfly Agent
Mazz already implemented a switch in the agent
https://issues.jboss.org/browse/HWKAGENT-56
## Ruby, Java and Python clients
## vertx-hawkular-metrics and ptrans
## Hawkular Charts
A switch must be implemented:
- Standalone Metrics: set Hawkular-Tenant header
- Hawkular: Basic Auth + Hawkular Persona (optional)
I'm not sure how we should proceed with Hawkular Charts. Having the
switch as a directive parameter would not be convenient.
Language clients, vertx SPI and ptrans updates should not be blocking
with respect to the next Hawkular alpha.
# Clients which must work with Hawkular only
## hawkular-ui-services
We need to remove the Hawkular-Tenant header from the HTTP calls,
otherwise Metrics will reject the requests as invalid (status 400)
I will send a PR when I'm back (I'm out of office next week).
## Pinger and AvailCreator
Since Pinger and AvailCreator need to work with any tenant, it seems
impractical to require users to configure all credentials for HTTP Client.
I've created HWKMETRICS-347 Hawkular Component should accept metric
input from the bus. The PR is sent and ready for review.
https://github.com/hawkular/hawkular-metrics/pull/445
If we agree on the principle of queues for metrics data input coming
from Hawkular components, then we'll only have to update Pinger and
AvailCreator so that they use the bus instead of an HTTP client.
I believe it is doable to upgrade Metrics for the next Hawkular alpha,
but it requires good coordination and a little bit of help :)
In particular, I'm not sure I can come up with a good solution in time
for Hawkular Charts.
Best regards,
Thomas
More information about the hawkular-dev
mailing list