6:27 p.m.
I'm sending this here because I need the input from several people (specifically
Heiko, Juca, and Peter, but others are free to chime in, too).
Right now, the UI sends messages over the websocket to the hawkular server to make request
for things. That UI request is immediately authenticated via hawkular-accounts (typically
the UI sends the keycloak token that we authentiate). At this point, we put the message on
the bus so the message can be routed to the proper kettle instance so the message can be
forwarded to the feed over the feed websocket connection. Once the feed processes the
request, a response may be sent back (asynchronously from the request) - if a response is
sent back from the feed, it goes to the kettle instance via websockets, the kettle puts it
on the bus, where the listener processing the UI client responses will take the bus
message and forward it to the UI over the websocket. Phew.
OK, my question is - how does the UI identify itself? We need some string identifier so
the response message can be targeted to the proper UI client (today, we don't have UI
identifiers, so we just send responses to EVERY UI client but only those UI clients
connected to the kettle that the feed is connected to - not good in a clustered
environment and not good for security purposes - some UIs will be different tenants and
shouldn't see these messages).
Here's some use cases to illustrate the problem:
1) I'm logged into the UI using two different browser tabs. In one, I send a
"deploy an application" request. Once the response comes back - do I show the
response in both tabs? What if I closed the tab that performed the deploy? What should
happen?
2) I am logged in kettle #1 as "jdoe" and someone else is logged in kettle #2 as
the same "jdoe". I deploy an application. Should that other person get the
response that a new app was deployed, too?
3) I am logged into the UI and I deploy an application. I log out (perhaps close the
browser) and log back in. Then the deployment finishes and the response comes in - should
I get that response (even though its a new browser instance and a new websocket
connection?)
The way I am thinking about this is Google Drive. I could be logged into my Google Drive
account on any number of browsers or tabs - when I make a change to a document in Drive,
that change is immediately reflected in every browser/tab I have open to Google Drive, not
just in the browser that made the change. Is this the kind of thing we want? Or do we only
want the browser that is making the requests get the responses?
One thing I am thinking is hawkular-accounts gives us some common ID (not the token) that
we assign a UI client and that ID floats in all requests and responses. The bad thing
about this is we'll never know the UI client ID until they send their first request.
Another thing I am thinking is have it work just like feeds - a feed connects via the URL
ws://host/hawkular-command-gateway/feed/<FEED ID>. We could let each UI generate
their own id and connect via ws://host/hawkular-command-gateway/ui/<UI ID>. The good
thing here is the UI knows its ID immediately (since it generated it) and we know it from
the start without even getting an initial message (and we can link it with that websocket
session easily). Bad thing is only that UI will be able to get responses - it won't
work the "Google Drive way" where a user logged into N browsers will get
responses in all N browsers.
Thoughts?