Re: [Hawkular-dev] Tenant Id - Not Part of URL

Good proposal, just make sure it is carried over to the query parameter alternative too. ----- Original Message ----- > From: "Thomas Segismont" <tsegismo(a)redhat.com&gt; > To: hawkular-dev(a)lists.jboss.org > Sent: Tuesday, May 12, 2015 7:36:56 AM > Subject: Re: [Hawkular-dev] Tenant Id - Not Part of URL > > From IETF: > === > 3. Recommendations for Creators of New Parameters > > Creators of new parameters to be used in the context of application > protocols: > > 1. SHOULD assume that all parameters they create might become > standardized, public, commonly deployed, or usable across > multiple implementations. > > 2. SHOULD employ meaningful parameter names that they have reason to > believe are currently unused. > > 3. SHOULD NOT prefix their parameter names with "X-" or similar > constructs. > > Note: If the relevant parameter name space has conventions about > associating parameter names with those who create them, a parameter > name could incorporate the organization's name or primary domain name > (see Appendix B for examples). > === > http://tools.ietf.org/html/rfc6648#section-3 > > So the header should be something like "Hawkular-Tenant". And shared > across the individual components. > > I'll file a Metrics JIRA unless someone has a strong objection or better > name. > > Le 28/04/2015 17:44, Stefan Negrea a écrit : >> Hello Everybody, >> >> I've been working on a PR for the upcoming Hawkular Metrics release that >> will remove the tenant id from the end-point URLs. The tenant id will be >> moved to either a header parameter or a query parameter. The query >> parameter is in place for cases (such as curl) where setting a header is >> not possible, difficult, or inconvenient. >> >> Here is an example of the change: >> >> Existing URL: >> /{tenantId}/gauge/{metricId}/data >> >> New URL: >> /gauge/{metricId}/data >> >> Tenant id set via: >> 1) header - tenantId >> 2) query parameter - tenantId >> >> >> There are two exceptions to this rule, /tenants and /db/{tenantid}/series. >> The /tenants end-point will be changed into something different in the >> upcoming releases since it is mostly a management type API that does not >> belong in the same place with the regular metrics endpoint. And >> /db/{tenantid}/series end-point is needed in this exact format for >> compatibility with Influxdb compatible services. >> >> >> Now, to the merits of this change. The tenant id is volatile, can change >> any time, and changes to it should be expected; but the rest of the URL is >> fixed. The second issue is that the tenant id is a security concern. So we >> were limited in design choices since a security concern was leaking as >> part of the URL. >> >> So removing the tenant id from the URL will give us permanent & consistent >> addresses for resources (metrics and metric data points). And we will gain >> a lot of flexibility on the security side. In the future, users could >> authenticate with a user/pass combo and the backend would transform that >> into a tenant id to be used on the request. If the same user later decides >> to use a tenant id to pass along the request, the URL of the resources >> would not change. Another expectation is that tenant id is not sufficient, >> it is typically a combo of id + secret; so we would have resorted to a >> header or query param for the second piece of information (the secret). >> >> This change will give us the flexibility to adjust the security model (the >> meaning of tenant ids and ways to validate them) without compromising the >> URL structure. This will help Hawkular Metrics as it gets integrated into >> more and more projects and products. >> >> Here are the links to the JIRA and the PR for this change: >> https://github.com/hawkular/hawkular-metrics/pull/202 >> https://issues.jboss.org/browse/HWKMETRICS-68 >> >> >> >> Thank you, >> Stefan Negrea >> >> Software Engineer >> >> _______________________________________________ >> hawkular-dev mailing list >> hawkular-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/hawkular-dev >> > > _______________________________________________ > hawkular-dev mailing list > hawkular-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/hawkular-dev > _______________________________________________ hawkular-dev mailing list hawkular-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/hawkular-dev