[Hawkular-dev] accounts, tenants, the agent

Matt Wringe mwringe at redhat.com
Fri May 6 10:31:07 EDT 2016 


----- Original Message -----
> From: "Jay Shaughnessy" <jshaughn at redhat.com>
> To: hawkular-dev at lists.jboss.org
> Sent: Friday, May 6, 2016 9:21:59 AM
> Subject: Re: [Hawkular-dev] accounts, tenants, the agent
> 
> 
> I always thought tenants were more akin to grouping associated data, like
> everything for datacenter-1, or company-x, and so users would have their
> queries limited to their relevant data. If every feed has a different
> tenantid by default, then wouldn't it be difficult to consolidate data in a
> view? I know in H Alerting that tenantId is used more in the fashion I
> discussed, and multi-tenant queries are not efficient. It seems to me we'd
> be better off using a single default, like "global-tenant".

I always view tenants as being more of a user concern. As a user I can rent one or more units in an apartment building and I control the keys to these apartments. I can only be in one apartment at a time, but I can leave and go to another apartment I own if I want. Other users can also rent one or more units in the building as well. There may be a landlord (admin) who also has a key to all units as well.

I think we need to keep one default tenant for everything (eg 'hawkular' or something generic) and not have a per feed tenant. You can't query or aggregate data across tenants in Hawkular Metrics, and I would assume most users would want to have one tenant by default rather than one tenant per feed. I assume that users will probably want to perform aggregates across a cluster of similar machines, which you can't do if each machine has a separate tenant id.

Tenants are also used for access control. In OpenShift they have projects (aka namespaces) which we use as the tenant id. A user in OpenShift needs to specify that project they are using when they perform any action, and access control is configured on a per project basis. For metrics, when someone tries to access one of the endpoints, we verify that they have access to the corresponding project in OpenShift before granting them access to the corresponding metrics in Hawkular Metrics.

> 
> On 5/6/2016 8:21 AM, John Mazzitelli wrote:
> 
> 
> 
> 
> 
> Can't you just consider the tenantId the same as the feedId? Or use some
> fixed word, like 'global'? Please don't use the slashes, equal symbols and
> others :)
> That's what I was thinking of doing to avoid requiring people to set the
> tenantId. They can still set tenantId if they want something different, but,
> I think I will default to the feed ID.
> 
> 
> 
> As for the inventory, currently the tenant is auto-created with the very
> first call to the rest api. There is no dedicated endpoint to create the
> tenant. The tenant id is obtained from the accounts component. Probably,
> this will be changed to get the tenant id from the http header. So all you
> need to do is to start inserting the data with the correctly set tenant id
> header.
> Right. I would have to add that. Right now the agent only sends tenant ID
> header to metrics. Looks like I will need to send it to inventory as well.
> 
> I wonder if we need to start passing tenant ID around in the websocket
> commands too?
> 
> Peter/Juca - with all the work you are doing in cmdgw stuff - do you know if
> we need to add tenant ID to all the commands?
> _______________________________________________
> hawkular-dev mailing list hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
> 
> 
> _______________________________________________
> hawkular-dev mailing list
> hawkular-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/hawkular-dev
>

More information about the hawkular-dev mailing list