9:01 a.m.
(this email uses the Hawkular naming as proposed by lponce)
It seems there has been some confusion about the situation around the
multi tenancy in Hawkular Services. Most of what was discussed today on
IRC was already discussed in a way or another before, but here's a
summary of the previous discussions + what was discussed today on IRC:
Hawkular Services, except Agent:
* Tenant data is not going to be derived from Hawkular Services Auth Data.
* Tenancy is to be determined by the client and sent to Hawkular
Services via the "Hawkular-Tenant" header.
* As tenancy is not to be determined at Hawkular Services, there's no
point in having Accounts anymore. Most, if not all, components have
already a "remove Accounts dependency" JIRA. If you need help on this
task, let me know
* Removing Accounts != removing tenancy support. Multi tenancy is still
a requirement for Hawkular Services!
* If the tenant is not provided (ie: Hawkular-Tenant HTTP header is
non-existent or invalid), your endpoint should return a "400 - Bad Request".
* We might still have multi tenancy on Hawkular. But that's irrelevant
for your component.
Agent and non-Hawkular Services:
* Agent will allow the user to set a tenant on standalone.xml . By
default, it will be set to "hawkular"
* The Hawkular Ruby Gem, used by MiQ, will use tenancy information from
MiQ when available. By default, it will be set to "hawkular"
* OpenShift already sends Hawkular-Tenant to Hawkular Metrics
- Juca.
9:31 a.m.
point in having Accounts anymore. Most, if not all, components have
already a "remove Accounts dependency" JIRA. If you need help on this
task, let me know
Agent JIRA: https://issues.jboss.org/browse/HWKAGENT-86
Agent PR: https://github.com/hawkular/hawkular-agent/pull/180
That PR still has Accounts feature pack stuff in it for the itests stuff. I need help on
that task
.
Agent and non-Hawkular Services:
* Agent will allow the user to set a tenant on standalone.xml . By
default, it will be set to "hawkular"
This is implemented in the above PR
10:04 a.m.
On 10.05.2016 16:31, John Mazzitelli wrote:
Agent JIRA: https://issues.jboss.org/browse/HWKAGENT-86
Agent PR: https://github.com/hawkular/hawkular-agent/pull/180
That PR still has Accounts feature pack stuff in it for the itests stuff. I need help on
that task
I believe that Peter is already working on that. For most components,
the change will be simple: just start using the Nest Feature Pack
instead of Accounts, and add JAAS configuration to the Wildfly server
you build for the integration tests.
To add the JAAS configuration, you'd need this:
https://git.io/vwADp - web.xml (on your WAR)
https://git.io/vwAyT - application-roles.properties
https://git.io/vwAyL - application-users.properties
- Juca.
3:22 p.m.
On 10.05.2016 16:31, John Mazzitelli wrote:
> Agent JIRA: https://issues.jboss.org/browse/HWKAGENT-86
> Agent PR: https://github.com/hawkular/hawkular-agent/pull/180
>
> That PR still has Accounts feature pack stuff in it for the itests stuff. I
> need help on that task
I believe that Peter is already working on that.
I see Peter is working on taking out Accounts from Inventory right now. I will assign this
agent JIRA to Peter since it will probably take him 5 minutes to do the agent once he gets
everything figured out with Inventory :)
11:16 a.m.
Hi Juca
So just to be clear, this means that there is no server side validation to ensure the user
is able to read from/write to the supplied tenant? This would have to be handled in the
client aswell?
Regards
Gary
----- Original Message -----
(this email uses the Hawkular naming as proposed by lponce)
It seems there has been some confusion about the situation around the
multi tenancy in Hawkular Services. Most of what was discussed today on
IRC was already discussed in a way or another before, but here's a
summary of the previous discussions + what was discussed today on IRC:
Hawkular Services, except Agent:
* Tenant data is not going to be derived from Hawkular Services Auth Data.
* Tenancy is to be determined by the client and sent to Hawkular
Services via the "Hawkular-Tenant" header.
* As tenancy is not to be determined at Hawkular Services, there's no
point in having Accounts anymore. Most, if not all, components have
already a "remove Accounts dependency" JIRA. If you need help on this
task, let me know
* Removing Accounts != removing tenancy support. Multi tenancy is still
a requirement for Hawkular Services!
* If the tenant is not provided (ie: Hawkular-Tenant HTTP header is
non-existent or invalid), your endpoint should return a "400 - Bad Request".
* We might still have multi tenancy on Hawkular. But that's irrelevant
for your component.
Agent and non-Hawkular Services:
* Agent will allow the user to set a tenant on standalone.xml . By
default, it will be set to "hawkular"
* The Hawkular Ruby Gem, used by MiQ, will use tenancy information from
MiQ when available. By default, it will be set to "hawkular"
* OpenShift already sends Hawkular-Tenant to Hawkular Metrics
- Juca.
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
11:33 a.m.
On 10.05.2016 18:16, Gary Brown wrote:
So just to be clear, this means that there is no server side
validation to ensure the user is able to read from/write to the supplied tenant? This
would have to be handled in the client aswell?
Correct, we rely on accurate tenant information being provided by the
client. Such authorization checks are to be done at the client level as
well.
- Juca.
3170
days inactive
3170
days old
5 comments
3 participants
participants (3)
-
Gary Brown -
John Mazzitelli -
Juraci Paixão Kröhling