Hi Ruwan, I think sharing assets across tenants is something which better be solved at carbon User/Tenant level. This is going to be valuable feature for AppM tenant sharing too.
Lets say Tenant A shares an asset to Tenant B, and say User A1 is authenticated to Tenant A. Then the security/access control mechanism in carbon should do this. 1. User A1-> Access Tenant Space B -> search for assets available. 2. Tenant Space B searches assets which is granted to Tenant A. The authenticated user will be given a Token (T1). When he access tenant space B, he will be given another Token T2 created from T1. This prevents spoofing inside tenant B. Tenant B can at anytime check the validity of the user A1 with the Token T2. Optionally there can be role mapping between tenant A and B roles, which will be done by respective Admins. (Communication between admins will be offline.) Then we would be able to restrict access based on role/permissions too. WDYT? Cheers, Ruwan On Sun, Sep 20, 2015 at 7:34 AM, Bhathiya Jayasekara <[email protected]> wrote: > Hi Ruwan, > > On Fri, Sep 18, 2015 at 5:12 AM, Ruwan Yatawara <[email protected]> wrote: > >> Hi All, >> >> This is to update everyone on the implementation we are in the process of >> doing to share the device types between tenants. >> >> *Objective :* A particular division of a organization (tenant) needs to >> be able to declare a device type in the platform that needs to be made >> available for other divisions of the organization (other tenants) >> >> Ayyoob, has already done the changes in the CDMF layer to make the device >> types sharable between tenants (it is a matter of establishing a >> relationship via DB entries). But the problem arises when it comes to >> displaying these shared device types using the Enterprise Store, as it uses >> the registry to persist the rxt instances (As of now there is one RXT >> called DeviceType and all the other device types that we declare happen to >> be instances of it.). >> >> In the registry, each tenant's space is their own, and there does not >> exist a common location in which artifact that needs to be shared between >> tenants, can be stored in the registry. >> >> Given the requirement and the current limitations, we are going to adopt >> an approach similar to the external stores feature [1] in APIM to share >> artifacts between tenants. >> >> Following this approach, basically if tenant foo.com needs to share his >> device types with bar.com, in foo.com's registry there would need to >> exist a file that contains credentials to bar.com's publisher component. >> So when foo.com wants to push a device type to bar.com, said device type >> will be added to bar.com's registry using the credentials provided >> earlier. In the device type that gets added it will be indicated that the >> provider is foo.com. >> >> This would solve the problem of sharing artifacts between specific >> tenants. However, sharing artifacts between all tenants is not possible >> with this scenario (Not that it is not possible, but its rather cumbersome) >> > > AFAIU, it's impossible rather than cumbersome, because you may not know > about all the tenants. However in any case, better to have another > approach. So, how about using a common space in ST? You can access ST > registry by changing the tenant flow. If you have already considered this > and thrown it away, I'd like to know the reason. > > Thanks, > Bhathiya > > >> >> Please feel free to share your thoughts on the matter. >> >> >> [1] - >> https://docs.wso2.com/display/AM180/Publish+to+multiple+external+API+stores >> >> >> Thanks and Regards, >> >> Ruwan Yatawara >> >> Senior Software Engineer, >> WSO2 Inc. >> >> email : [email protected] >> mobile : +94 77 9110413 >> blog : http://ruwansrants.blogspot.com/ >> www: :http://wso2.com >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > *Bhathiya Jayasekara* > *Senior Software Engineer,* > *WSO2 inc., http://wso2.com <http://wso2.com>* > > *Phone: +94715478185 <%2B94715478185>* > *LinkedIn: http://www.linkedin.com/in/bhathiyaj > <http://www.linkedin.com/in/bhathiyaj>* > *Twitter: https://twitter.com/bhathiyax <https://twitter.com/bhathiyax>* > *Blog: http://movingaheadblog.blogspot.com > <http://movingaheadblog.blogspot.com/>* > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- *Ruwan Abeykoon* *Architect,* *WSO2, Inc. http://wso2.com <http://wso2.com/> * *lean.enterprise.middleware.* email: [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
