On Apr 28, 2015, at 3:58 PM, Lukas Krejci <lkrejci@redhat.com> wrote:
How do metrics' tenants fit into the hawkular accounts and its persona concept?
----- Original Message -----
From: "Stefan Negrea" <snegrea@redhat.com>
To: "Discussions" <hawkular-dev@lists.jboss.org>
Sent: Tuesday, 28 April, 2015 5:44:56 PM
Subject: [Hawkular-dev] Tenant Id - Not Part of URL
Hello Everybody,
I've been working on a PR for the upcoming Hawkular Metrics release that will
remove the tenant id from the end-point URLs. The tenant id will be moved to
either a header parameter or a query parameter. The query parameter is in
place for cases (such as curl) where setting a header is not possible,
difficult, or inconvenient.
Here is an example of the change:
Existing URL:
/{tenantId}/gauge/{metricId}/data
New URL:
/gauge/{metricId}/data
Tenant id set via:
1) header - tenantId
2) query parameter - tenantId
There are two exceptions to this rule, /tenants and /db/{tenantid}/series.
The /tenants end-point will be changed into something different in the
upcoming releases since it is mostly a management type API that does not
belong in the same place with the regular metrics endpoint. And
/db/{tenantid}/series end-point is needed in this exact format for
compatibility with Influxdb compatible services.
Now, to the merits of this change. The tenant id is volatile, can change any
time, and changes to it should be expected; but the rest of the URL is
fixed. The second issue is that the tenant id is a security concern. So we
were limited in design choices since a security concern was leaking as part
of the URL.
So removing the tenant id from the URL will give us permanent & consistent
addresses for resources (metrics and metric data points). And we will gain a
lot of flexibility on the security side. In the future, users could
authenticate with a user/pass combo and the backend would transform that
into a tenant id to be used on the request. If the same user later decides
to use a tenant id to pass along the request, the URL of the resources would
not change. Another expectation is that tenant id is not sufficient, it is
typically a combo of id + secret; so we would have resorted to a header or
query param for the second piece of information (the secret).
This change will give us the flexibility to adjust the security model (the
meaning of tenant ids and ways to validate them) without compromising the
URL structure. This will help Hawkular Metrics as it gets integrated into
more and more projects and products.
Here are the links to the JIRA and the PR for this change:
https://github.com/hawkular/hawkular-metrics/pull/202
https://issues.jboss.org/browse/HWKMETRICS-68
Thank you,
Stefan Negrea
Software Engineer
_______________________________________________
hawkular-dev mailing list
hawkular-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
_______________________________________________
hawkular-dev mailing list
hawkular-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev