Return all hosts by account ID about insights-host-inventory HOT 12 OPEN

It's also possible that this is just going to be supported by us handing over the x-rh-auth-identity header and letting the Inventory talk to the RBAC service to sort out which hosts we can see.

Yes, this is going to be supported by pulling the account number out of the identity header.

If so, it'd be good to have some overrides so that e.g. we can query a customer's account if we need to sort out a problem.

This is a feature we'll need to add later on. At this point, it is not clear to me how to securely allow for a "superuser" type of access with the current auth header checking.

from insights-host-inventory.

This should be supported with the account={int} query parameter.

from insights-host-inventory.

Um, I can't see that described in the Swagger spec. I also don't see any code to support that in the getHostList handler and I don't see any 'getHostListByAccount' handler or similar.

Are you just generally asserting that the Inventory service should do that, or are you saying that it does and I've just missed it somewhere? :-)

from insights-host-inventory.

It's also possible that this is just going to be supported by us handing over the x-rh-auth-identity header and letting the Inventory talk to the RBAC service to sort out which hosts we can see. If so, it'd be good to have some overrides so that e.g. we can query a customer's account if we need to sort out a problem.

from insights-host-inventory.

Is there also any intent for the Inventory service to deny access to a host if it's requested by HostID but by a person not from that account? I.e. does the client have to specify both the HostID and account number in order to get the host, or will requesting a valid HostID give you that host regardless of which account the user requesting it is in?

from insights-host-inventory.

Is there also any intent for the Inventory service to deny access to a host if it's requested by HostID but by a person not from that account? I.e. does the client have to specify both the HostID and account number in order to get the host, or will requesting a valid HostID give you that host regardless of which account the user requesting it is in?

Hosts will only be returned if their account matches the account number from the identity auth header.

from insights-host-inventory.

OK, so the API needs to supply the x-rh-identity header it gets from the 3Scales to the Inventory? Sure thing, can do.

See #42 for a twist on that :-)

from insights-host-inventory.

@PaulWay @dehort I think most of this will become better structured and clearer once RBAC and app to service authentication is in place and better defined. The x-rh-identity header should be automatically inserted if the call is coming in from 3-Scale(i.e from outside Openshift) . For app to service communication, we likely will not use the x-rh-identity header for authentication in the future.

from insights-host-inventory.

@lphiri That's what seems to have been implemented in the Inventory. Can you clarify what you're specifying there?

from insights-host-inventory.

I‘d also like to know how the authentication would work without the 3Scale identity header? How do we determine the account number?

from insights-host-inventory.

Nothing has been decided, but the idea is that services will have principal information just like users and can be granted access to view information from one or more accounts (according to RBAC rules). At some point, the caller will need to be able to specify which account they care about in the query. In the short term, it makes sense to me for the edge application to forward the header since they are acting on behalf of a real user.

from insights-host-inventory.

from insights-host-inventory.