Re: [Hawkular-dev] Tenancy model (was Re: Do not depend on Keycloak anymore)

On 18.04.2016 16:57, Juraci Paixão Kröhling wrote: > On 15.04.2016 15:14, Juraci Paixão Kröhling wrote: >> On 15.04.2016 14:43, Heiko W.Rupp wrote: >>> Yes, that *may* require a change. Or not if we e.g. have >>> - accounts-keycloak >>> - accounts-jaas >>> where the latter does the mapping as a jaas provider/plugin. > > I'm still not convinced why we would need two modules. If we assume that > Hawkular is similar to a database, in the sense that end users have no > access to it, then there would be no need for any advanced feature from > Keycloak. Plain JAAS would suffice. > Sent without finishing :) Another aspect that comes with the removal of the dependency on Keycloak is surrounding tenancy. We don't have the same requirements as before, and in the case described above where Hawkular could be seen as a "database", the tenancy would/should be managed on the user-facing application. This means that we'd have a breaking change for components like Inventory and Metrics, where the tenant is currently the same as the persona, which in turn is derived from the logged in user (or organization selected on the account switcher). Not having a tenancy model anymore means that all users are of the same tenant, so, components that care about tenancy should be changed. Note that there are two ways of interpreting "tenancy" here: the first is about how data is stored, and the second is how data is accessed. Previously, a tenant would write and read only its own data. Now, tenant is just another piece of the data, so, components would not actively check if the data belongs to the current user. We trust that the user-facing application is performing these checks.

- Juca. _______________________________________________ hawkular-dev mailing list hawkular-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/hawkular-dev