4:06 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 06/15/2015 04:45 PM, John Sanda wrote:
Why and to whom would components be providing auth info? My
understanding is that we will eventually have the security filter
through which all requests are routed. That filter will handle
authentication/authorization so that when a request does reach the
component endpoint, we can assume authentication/authorization
have already been taken care of.
As it is right now, Accounts provides an API for permission checking,
so, individual components can check if the current "persona" has the
required permissions to perform the operation on the "resource". More
about it can be found on the documentation:
http://www.hawkular.org/docs/dev/accounts.html
There's a JIRA for supporting security-by-annotations, but it's not
something that's on top of my queue right now.
I think this conflate the two, separate concerns. As the user I
should not have to know or care about the existence of other
tenants. From my perspective there is my tenant and that’s it.
There might be other tenants, but that should not be a concern to
me as it related to authentication and authorization. For example,
in a future version suppose we decide to completely replace our
authentication/authorization model with something else. That should
not (at least in theory) change multi tenancy.
That's not how we defined it. An user can (and potentially will)
belong to more than one organization, so, an user might belong and
"act-as" different organizations, effectively being different
"personas"
.
So, while I have only one registered account, I might be sending
requests as different personas.
Other than configuring/applying the filter, I do not envision
metrics, nor any other component for that matter, doing
authorization. That is the responsibility of accounts.
Quite the opposite. Authentication is done 100% by Accounts,
Authorizations is done by the individual components, with the tools
provided by Accounts.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVf+cxAAoJECKM1e+fkPrXpYAH/1KCMgKr5N8p2qc15Dve3pyO
Sa4bC5+XdztY4wXb9jHGUqQYgrqjyeAiMnOaL++sIzqEUdw3OQC1XbDrb5GHP/NW
qMulkoZjRZgjMGLVZ4bZGunMzc3t0gDyJ5l5w9GwQp7c8NMWPMRuAak3PGP3XZg4
wg+1/J+2AnFCgIo2QY46FZFHeO/Nt54nkSWFpdorBpzX6wIMSlYwzMptCKMv5+Su
ri8QjKz1vOnBFs+2wEfAbZQg8iyiUtQ4iTMlTv9xFxqqAj702vrhjvetMmqsuPR/
d7p/Qa7zqFNBi52AIoQmvBvyyPDlhACwkyClw0hM1COiaDOC3vUQN3yCt150laY=
=ASGv
-----END PGP SIGNATURE-----