4:45 p.m.
Hi
It would be really great if a functionality for Hawkular APM could be
found/established, matching the one that exists for Hawkular Metrics wise
for OpenShift, where the metrics are stored per tenant/namespace, and then
Hawkular security wise is integrated to the OAuth based security model of
OpenShift.
Is that a requirement/feature that have been considered? Or would it maybe
already be possible to integrate the Hawkular APM components to OpenShift
OAuth based security. Even if the Hawkular APM storage and security model
would not fit to the fully multitenant way of OpenShift, if just the
security model of a Hawkular APM installation could be connected to the
OpenShift OAuth model, then one Hawkular APM instance could be setup with
"service account tokens" used for sending metrics to the instance, and users
could log into the Hawkular APM UI with again OpenShift OAuth managed
credentials, mapped to roles coming from the OAuth ticket. Much the same way
that the security model of the OpenShift integrated Jenkins works - see:
https://github.com/openshift/jenkins-openshift-login-plugin
The current security model of APM is rather limited as far as I understand -
and based solely on a single manually fixed username/password for both
contributing application performance metrics/log entries, and same for the
Hawkular APM UI.
Best regards
Lars Milland
5:57 p.m.
Lars,
Indeed, the security mechanism for APM is very simple at the moment: it
uses JAAS, which is concretely implemented by the file-based auth from
Wildfly. The idea was that Red Hat SSO / Keycloak could be used in a
production setup, as the Wildfly Adapter is also implementing JAAS. In
fact, Keycloak *was* used in a previous iteration of the project.
At this point, however, we are focused on collaborating with Jaeger:
http://www.hawkular.org/blog/2017/04/19/hawkular-apm-jaeger.html
Even though we have not started discussing yet how we'll manage security
in Jaeger, I chatted with some colleagues from the Keycloak team last
week to see whether or not the usage of Keycloak Proxy as a sidecar
would make sense in an OpenShift deployment. There's no conclusion yet,
but it's something to be tested :)
At this moment, we have other priorities for Jaeger and the Keycloak
team is also busy with other tasks, but if this is a topic you'd be
interested in contributing, I'd be more than happy to share what I have
in mind.
- Juca.
On 04/27/2017 04:45 PM, Lars Milland wrote:
Hi
It would be really great if a functionality for Hawkular APM could be
found/established, matching the one that exists for Hawkular Metrics
wise for OpenShift, where the metrics are stored per tenant/namespace,
and then Hawkular security wise is integrated to the OAuth based
security model of OpenShift.
Is that a requirement/feature that have been considered? Or would it
maybe already be possible to integrate the Hawkular APM components to
OpenShift OAuth based security. Even if the Hawkular APM storage and
security model would not fit to the fully multitenant way of OpenShift,
if just the security model of a Hawkular APM installation could be
connected to the OpenShift OAuth model, then one Hawkular APM instance
could be setup with “service account tokens” used for sending metrics to
the instance, and users could log into the Hawkular APM UI with again
OpenShift OAuth managed credentials, mapped to roles coming from the
OAuth ticket. Much the same way that the security model of the OpenShift
integrated Jenkins works - see:
https://github.com/openshift/jenkins-openshift-login-plugin
The current security model of APM is rather limited as far as I
understand – and based solely on a single manually fixed
username/password for both contributing application performance
metrics/log entries, and same for the Hawkular APM UI.
Best regards
Lars Milland
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
2832
days inactive
2832
days old
1 comments
2 participants
participants (2)
-
Juraci Paixão Kröhling -
Lars Milland