[Hawkular-dev] agent error
Juraci Paixão Kröhling
jpkroehling at redhat.com
Fri Jan 29 05:26:11 EST 2016
On 29.01.2016 11:14, Heiko W.Rupp wrote:
> I am not too happy about that differentiation, as client code
> now needs to know if talking to a hawkular server or "metrics
> only".
> Just take the ruby client, that is used to talk to hawkular-metrics
> on openshift on one side and in the ManageIQ provide code to
> full Hawkular servers.
> Of course it is doable, but probably adds to confusion.
The main idea, on the backend side, is that a client might send
credentials belonging to Persona "abc" and sending a Hawkular-Tenant
with "def", causing a mismatch: using the persona and ignoring the
Hawkular-Tenant makes the backend perform something the client did *not*
ask it to do. Trusting the client opens a door for security issues.
I think the code was introduced when I asked on a review about the
correct behavior for the situation above. I think the components could
be forgiving if Hawkular-Tenant == Hawkular-Persona, throwing a 400
otherwise.
- Juca.
More information about the hawkular-dev
mailing list