9:11 a.m.
Hi,
as this discussion is going on and the other components need to adapt,
we need to come to
an end.
The preferred form is to have the Tenant id in the header as:
Hawkular-Tenant: acme.org
This has been agreed upon by everyone I think and been committed to
hawkular-metrics yesterday as
https://issues.jboss.org/browse/HWKMETRICS-86
Now the question is if we need a fallback in the case a client can not
supply a
header.
Following some discussion here and on irc yesterday, a queryParameter
(?tenantid=acme.org) seems to be preferred over a matrix parameter.
Last but not least is the question if we need that fallback at all.
My litmus test here is always the usage via curl.
As curl allows to pass headers via -H "Hawkular-tenant: acme.org" I can
imagine not using a fallback at all.
Hawkular itself needs to check if a tenant is provided and otherwise
reject the request with a
403 error code, providing a "missing Hawkular-Tenant" reason phrase.
While a 403 has a slightly different meaning, a 401 code is not
applicable, as for a 401 the
response must indicate a challenge to be met for successful
authentication.
If a tenant header is provided, but does not match a known tenant we
should probably
return a 404 not found - I am not sure on this one though. Perhaps a 403
with different reason
phrase is even better.
In cases where there is only one default tenant (e.g. metrics running
standalone), the
check for the provided tenant can be omitted.
For fallback / non-fallback I've created a doodle:
http://doodle.com/extrm4zreh25hhx3
Please respond until 5/20 EOD
4:32 p.m.
New subject: Tenant Id
----- Original Message -----
From: "Heiko W.Rupp" <hrupp(a)redhat.com>
To: "Discussions around Hawkular development"
<hawkular-dev(a)lists.jboss.org>
Sent: Tuesday, 19 May, 2015 4:11:05 PM
Subject: Re: [Hawkular-dev] Tenant Id
Hi,
as this discussion is going on and the other components need to adapt,
we need to come to
an end.
The preferred form is to have the Tenant id in the header as:
Hawkular-Tenant: acme.org
Is accounts going to change to this format, too?
As far as I understand it, for us, Persona = Tenant. Accounts currently
gets the persona from the "X-Hawkular-Persona" header.
Also, because orgs and people can be renamed, I think we should not use the
name as the identifier of the tenant, but rather the persona ID
which is an UUID.
This has been agreed upon by everyone I think and been committed to
hawkular-metrics yesterday as
https://issues.jboss.org/browse/HWKMETRICS-86
Now the question is if we need a fallback in the case a client can not
supply a
header.
Following some discussion here and on irc yesterday, a queryParameter
(?tenantid=acme.org) seems to be preferred over a matrix parameter.
Last but not least is the question if we need that fallback at all.
My litmus test here is always the usage via curl.
As curl allows to pass headers via -H "Hawkular-tenant: acme.org" I can
imagine not using a fallback at all.
+1
Hawkular itself needs to check if a tenant is provided and otherwise
reject the request with a
403 error code, providing a "missing Hawkular-Tenant" reason phrase.
While a 403 has a slightly different meaning, a 401 code is not
applicable, as for a 401 the
response must indicate a challenge to be met for successful
authentication.
Hmm, good points... I need to change that in Inv..
If a tenant header is provided, but does not match a known tenant we
should probably
return a 404 not found - I am not sure on this one though. Perhaps a 403
with different reason
phrase is even better.
I would argue that this will never gonna happen. As far as I recall, our
mantra is Persona = Tenant, which means that whatever tenant we get is an
authenticated user impersonating as given persona - and for that we should
have a tenant.
In fact, inventory (in HWKINVENT-36) auto-creates such tentants because it
assumes a successful authentication and impersonation is enough of a reason
for the tenant to exist.
In cases where there is only one default tenant (e.g. metrics
running
standalone), the
check for the provided tenant can be omitted.
For fallback / non-fallback I've created a doodle:
http://doodle.com/extrm4zreh25hhx3
Please respond until 5/20 EOD
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
1:54 a.m.
New subject: Tenant Id
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/19/2015 11:32 PM, Lukas Krejci wrote:
Is accounts going to change to this format, too?
As far as I understand, this is specific to metrics. Accounts already
provides the tenant/persona data based on the auth data *or* via the
header "X-Hawkular-Persona", as you mentioned below.
As far as I understand it, for us, Persona = Tenant. Accounts
currently gets the persona from the "X-Hawkular-Persona" header.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXC+LAAoJECKM1e+fkPrXfTEIAIBZTOU57+ox4rkyW+GkxK+z
GwpzIB/rkDL3M2l6D0EgTY9GNpeweT9VMssa8TrF0tIOXJXXYOOgadeAVvJYe41i
mHciXro97cChS8ppnel+ss3xihiFfVKRm3PQOyK8eHql3oSZhwaGr1sLlxFe0SUY
9BMC7iyWOPKsf9b447Mk2rZLKWzWA7joGjZ+DjnXtI1Eg8nN4XB1gvvVaVHFQnYn
plAEN5ahLg4F0MqP+y5/Sjoax3Cbl8mczhuGvLTcbi6pPLoV7WG9X0x1ASjG2VzR
DZRdeRz78fvYIHWsXxOa6sy94Kcbi5ntgRllXZXcqWkL1HIjWGr0/7sS+MgWTjw=
=aB9t
-----END PGP SIGNATURE-----
2:10 a.m.
New subject: Tenant Id
If the X-Hawkular-Persona header is still required, shouldn't it atleast be changed to
Hawkular-Persona, as in a previous email in this thread I believe "X-" prefix is
reserved?
Regards
Gary
----- Original Message -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/19/2015 11:32 PM, Lukas Krejci wrote:
> Is accounts going to change to this format, too?
As far as I understand, this is specific to metrics. Accounts already
provides the tenant/persona data based on the auth data *or* via the
header "X-Hawkular-Persona", as you mentioned below.
> As far as I understand it, for us, Persona = Tenant. Accounts
> currently gets the persona from the "X-Hawkular-Persona" header.
>
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXC+LAAoJECKM1e+fkPrXfTEIAIBZTOU57+ox4rkyW+GkxK+z
GwpzIB/rkDL3M2l6D0EgTY9GNpeweT9VMssa8TrF0tIOXJXXYOOgadeAVvJYe41i
mHciXro97cChS8ppnel+ss3xihiFfVKRm3PQOyK8eHql3oSZhwaGr1sLlxFe0SUY
9BMC7iyWOPKsf9b447Mk2rZLKWzWA7joGjZ+DjnXtI1Eg8nN4XB1gvvVaVHFQnYn
plAEN5ahLg4F0MqP+y5/Sjoax3Cbl8mczhuGvLTcbi6pPLoV7WG9X0x1ASjG2VzR
DZRdeRz78fvYIHWsXxOa6sy94Kcbi5ntgRllXZXcqWkL1HIjWGr0/7sS+MgWTjw=
=aB9t
-----END PGP SIGNATURE-----
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
2:17 a.m.
New subject: Tenant Id
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 05/20/2015 09:10 AM, Gary Brown wrote:
If the X-Hawkular-Persona header is still required, shouldn't it
atleast be changed to Hawkular-Persona, as in a previous email in
this thread I believe "X-" prefix is reserved?
Yes, I think I've created a JIRA for me about that. But just to be
clear: consumers of Accounts shouldn't worry about this header. It's
parsed and checked by Accounts, which makes a Persona object available
to be injected.
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJVXDUSAAoJECKM1e+fkPrXQQkIAIKU7p3pmLRUiJ7I2VcMWB9r
xh6bgJ77LvfYLp8kL7FCiHJcJkrs023C4CrX04Qs/ucJzHIQ/rGrojj5ckFoSRdU
tlLkUlYQgu9rVqNmw5CIiRyLp7BKhxgkuF2KkeGYOuTeW5vaiE5NCxyyIrjgRi3V
MnFQL88DHNYkFpSUKWe2p1sR4zrbSMIJHxuZmWiy7qFp806u6+z4Yrq9vweu1TX2
GVjEhSWwlGuHAk0/wFNvR5VeqSzN4fLpsJYkhE8VqwlQxiz2otXaw1xoBu84EL5k
Q+cvcXFBWH2MQOyVwgqj9BNvzxVAy7l043/AR8DZI2j/WLipwhDok/vH+h5VhH8=
=tf6s
-----END PGP SIGNATURE-----
4:56 a.m.
New subject: Tenant Id
Le 20/05/2015 09:17, Juraci Paixão Kröhling a écrit :
On 05/20/2015 09:10 AM, Gary Brown wrote:
> >If the X-Hawkular-Persona header is still required, shouldn't it
> >atleast be changed to Hawkular-Persona, as in a previous email in
> >this thread I believe "X-" prefix is reserved?
Yes, I think I've created a JIRA for me about that. But just to be
clear: consumers of Accounts shouldn't worry about this header. It's
parsed and checked by Accounts, which makes a Persona object available
to be injected.
Yes, the "Hawkular-Tenant" header is specific to Metrics. When Metrics
is integrated with Accounts, I expect we will derive the tenant from the
persona header.
We'll also need to think how to make clients
(hawkular-agent/ptrans/vertx-monitor) work with both standalone and
integrated Metrics services.
9:20 a.m.
New subject: Tenant Id
Hello Everybody,
I lost track a few times of where this long thread was going but I think the final
decision is: Hawkular-Tenant header only.
Here is the PR for Hawkular Metrics: https://github.com/hawkular/hawkular-metrics/pull/232
. The PR is ready for merging and will be part of the next Hawkular Metrics release.
Thank you,
Stefan
----- Original Message -----
From: "Thomas Segismont" <tsegismo(a)redhat.com>
To: hawkular-dev(a)lists.jboss.org
Sent: Wednesday, May 20, 2015 4:56:13 AM
Subject: Re: [Hawkular-dev] Tenant Id
Le 20/05/2015 09:17, Juraci Paixão Kröhling a écrit :
> On 05/20/2015 09:10 AM, Gary Brown wrote:
>> >If the X-Hawkular-Persona header is still required, shouldn't it
>> >atleast be changed to Hawkular-Persona, as in a previous email in
>> >this thread I believe "X-" prefix is reserved?
> Yes, I think I've created a JIRA for me about that. But just to be
> clear: consumers of Accounts shouldn't worry about this header. It's
> parsed and checked by Accounts, which makes a Persona object available
> to be injected.
Yes, the "Hawkular-Tenant" header is specific to Metrics. When Metrics
is integrated with Accounts, I expect we will derive the tenant from the
persona header.
We'll also need to think how to make clients
(hawkular-agent/ptrans/vertx-monitor) work with both standalone and
integrated Metrics services.
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
4:08 a.m.
New subject: Tenant Id
On 19 May 2015, at 23:32, Lukas Krejci wrote:
Also, because orgs and people can be renamed, I think we should not
use the
name as the identifier of the tenant, but rather the persona ID
which is an UUID.
Yes. Above example was to explicitly list the header.
> If a tenant header is provided, but does not match a known tenant
we
> should probably
> return a 404 not found - I am not sure on this one though. Perhaps a 403
> with different reason
> phrase is even better.
>
I would argue that this will never gonna happen. As far as I recall, our
mantra is Persona = Tenant, which means that whatever tenant we get is an
authenticated user impersonating as given persona - and for that we should
have a tenant.
A misconfigured feed (e.g. user configuring the WildFly agent and
making a typo) is what I was thinking off. Less the pinger or internal
calls from UI to backend.
3479
days inactive
3487
days old
7 comments
6 participants
participants (6)
-
Gary Brown -
Heiko W.Rupp -
Juraci Paixão Kröhling -
Lukas Krejci -
Stefan Negrea -
Thomas Segismont