Return all hosts by account ID

[PaulWay]

The Inventory needs to be able to list all the hosts by a given account number.

[jhjaggars]

This should be supported with the account={int} query parameter.

[PaulWay]

Um, I can't see that described in the Swagger spec. I also don't see any code to support that in the getHostList handler and I don't see any 'getHostListByAccount' handler or similar.

Are you just generally asserting that the Inventory service should do that, or are you saying that it does and I've just missed it somewhere? :-)

[PaulWay]

It's also possible that this is just going to be supported by us handing over the x-rh-auth-identity header and letting the Inventory talk to the RBAC service to sort out which hosts we can see. If so, it'd be good to have some overrides so that e.g. we can query a customer's account if we need to sort out a problem.

[PaulWay]

Is there also any intent for the Inventory service to deny access to a host if it's requested by HostID but by a person not from that account? I.e. does the client have to specify both the HostID and account number in order to get the host, or will requesting a valid HostID give you that host regardless of which account the user requesting it is in?

[dehort]

It's also possible that this is just going to be supported by us handing over the x-rh-auth-identity header and letting the Inventory talk to the RBAC service to sort out which hosts we can see.

Yes, this is going to be supported by pulling the account number out of the identity header.

If so, it'd be good to have some overrides so that e.g. we can query a customer's account if we need to sort out a problem.

This is a feature we'll need to add later on. At this point, it is not clear to me how to securely allow for a "superuser" type of access with the current auth header checking.

[dehort]

Is there also any intent for the Inventory service to deny access to a host if it's requested by HostID but by a person not from that account? I.e. does the client have to specify both the HostID and account number in order to get the host, or will requesting a valid HostID give you that host regardless of which account the user requesting it is in?

Hosts will only be returned if their account matches the account number from the identity auth header.

[PaulWay]

OK, so the API needs to supply the x-rh-identity header it gets from the 3Scales to the Inventory? Sure thing, can do.

See https://github.com/RedHatInsights/insights-host-inventory/issues/42 for a twist on that :-)

[lphiri]

@PaulWay @dehort I think most of this will become better structured and clearer once RBAC and app to service authentication is in place and better defined. The x-rh-identity header should be automatically inserted if the call is coming in from 3-Scale(i.e from outside Openshift) . For app to service communication, we likely will not use the x-rh-identity header for authentication in the future.

[PaulWay]

@lphiri That's what seems to have been implemented in the Inventory. Can you clarify what you're specifying there?

[Glutexo]

I‘d also like to know how the authentication would work without the 3Scale identity header? How do we determine the account number?

[jhjaggars]

Nothing has been decided, but the idea is that services will have principal information just like users and can be granted access to view information from one or more accounts (according to RBAC rules). At some point, the caller will need to be able to specify which account they care about in the query. In the short term, it makes sense to me for the edge application to forward the header since they are acting on behalf of a real user.

[Glutexo]

Like, if e.g. a Host Inventory service needs to query the Tagging service, it uses the identity header as-is to authenticate its requests to other services?

28. 11. 2018 v 14:37, Jesse Jaggars notifications@github.com:

Nothing has been decided, but the idea is that services will have principal information just like users and can be granted access to view information from one or more accounts (according to RBAC rules). At some point, the caller will need to be able to specify which account they care about in the query. In the short term, it makes sense to me for the edge application to forward the header since they are acting on behalf of a real user.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/RedHatInsights/insights-host-inventory/issues/21#issuecomment-442449208, or mute the thread https://github.com/notifications/unsubscribe-auth/ABG3iCuhMMb_0Vgsv9TGmmGF1y0uggHQks5uzpGngaJpZM4YFsyA.