Agree with Ruwan's point that we should not keep credentials per tenant. But, passing tenantId as a query parameter to API seems a security concern. This provides capability to access some other tenant's device list to any of the tenant having valid access token. One way that I could think of to avoid this is, keep only consumer/secret key in the app-manager.xml and generate the access token when user login into the store. In the API side, identify the user and tenant domain using access token and filter only devices belong to that tenant space. Again, this won't be a good solution, since we need to use password grant type which requires to access the user password to get the access token at the time of user login. So we back to keeping per tenant credential solution :).
Regards, Dinusha. On Fri, Jul 8, 2016 at 12:25 PM, Ruwan Abeykoon <[email protected]> wrote: > Hi All, > I think REST connector should have single endpoint. The rest call can have > tenant ID in a header or as a request parameter. Then the API gateway( > API-Manager) should be able to distinguish the respective endpoint if > necessary. This is a functionality of APIM. > > The reasons are, > 1. REST connector request/response will not be change at all between > tenants > 2. It is not needed to maintain credentials per tenant in AppM side. > > -1 on having configuration per tenant wise even in registry. > I do not agree with the JIRA. > > Cheers, > Ruwan > > On Fri, Jul 8, 2016 at 11:38 AM, Dinusha Senanayaka <[email protected]> > wrote: > >> Hi Sajith, >> >> We could not keep each and every tenant authentication configuration in >> app-manager.xml, due to dynamic nature of tenant creation and the growth. >> >> appmgt.mdm.rest.connector is the default connector that we provided to >> connect with WSO2EMM. We could keep it's configurations in the registry. >> Also I don't think at least 1% of the requirements will come to use >> specific connector other than using default connectors provided by us (EMM). >> >> Regards, >> Dinusha. >> >> On Fri, Jul 8, 2016 at 11:22 AM, Sajith Abeywardhana <[email protected]> >> wrote: >> >>> Hi All, >>> >>> EMM supports multi-tenancy it is designed to work with one instance of >>>> App Manager via OSGI services. When they work together they function as one >>>> product, hence EMM and App Manager share same tenants across the multi >>>> tenanted environment. >>>> >>> >>> This means we don't need to keep the tenant config when we are >>> connecting using OSGi service. >>> >>> >>>> This is a special scenario where AppM connects to EMM via EMM REST >>>> APIs. According to how we have developed the plugin tenant admin and >>>> password needs to be stored in the plugin configuration. This is a >>>> plugin specific configuration, therefore, the plugin developer has >>>> flexibility to store those configurations in any way he prefers. >>>> >>> >>> When we are connecting using REST connector we need to have a tenant >>> config in AppM side. How about that we kept those tenant config in >>> app-manager.xml as below. >>> >>> <MDMProperties> >>> >>> <MDM name="WSO2MDM" >>> bundle="org.wso2.carbon.appmgt.mdm.restconnector"> >>> <Property >>> name="ImageURL">/store/extensions/assets/mobileapp/resources/models/%s.png</Property> >>> <Property name="ServerURL"> >>> https://localhost:9450/mdm-admin</Property> >>> <Property name="TokenApiURL"> >>> https://localhost:9448/oauth2/token</Property> >>> <Property >>> name="ClientKey">WjLm24IxBVLF0oz0VJfmtJbjJbka</Property> >>> <Property >>> name="ClientSecret">v3KkIQXkJ1SDp_Bf8uUQxu5p7TQa</Property> >>> <Property name="Tenants">hr.com <[email protected]>,eng.com >>> <[email protected]>,mrk.com</Property> >>> </MDM> >>> >>> <MDM name="WSO2MDM_INTERNAL" >>> bundle="org.wso2.carbon.appmgt.mdm.osgiconnector"> >>> <Property >>> name="ImageURL">/store/extensions/assets/mobileapp/resources/models/%s.png</Property> >>> </MDM> >>> >>> <Tenants> >>> <Tenant name="hr.com"> >>> <Property name="AuthUser">hradmin</Property> >>> <Property name="AuthPass">hr.123</Property> >>> </Tenant> >>> <Tenant name="eng.com"> >>> <Property name="AuthUser">engadmin</Property> >>> <Property name="AuthPass">eng.123</Property> >>> </Tenant> >>> <Tenant name="mrk.com"> >>> <Property name="AuthUser">mrkadmin</Property> >>> <Property name="AuthPass">eng.123</Property> >>> </Tenant> >>> </Tenants> >>> >>> </MDMProperties> >>> >>> >>> >>> -- >>> *Sajith Abeywardhana* | Software Engineer >>> WSO2, Inc | lean. enterprise. middleware. >>> #20, Palm Grove, Colombo 03, Sri Lanka. >>> Mobile: +94772260485 >>> Email: [email protected] | Web: www.wso2.com >>> >>> >>> On Tue, Jul 5, 2016 at 12:01 PM, Chathura Dilan <[email protected]> >>> wrote: >>> >>>> Hi Dinusha, >>>> >>>> EMM supports multi-tenancy it is designed to work with one instance of >>>> App Manager via OSGI services. When they work together they function as one >>>> product, hence EMM and App Manager share same tenants across the multi >>>> tenanted environment. >>>> >>> >>>> This is a special scenario where AppM connects to EMM via EMM REST >>>> APIs. According to how we have developed the plugin tenant admin and >>>> password needs to be stored in the plugin configuration. This is a >>>> plugin specific configuration, therefore, the plugin developer has >>>> flexibility to store those configurations in any way he prefers. >>>> >>>> When it's comes to multi tenancy, +1 we have to store those >>>> configurations in the registry for the rest connector plugin . But how we >>>> store those values are plugin specific. >>>> >>>> >>>> On Tue, Jul 5, 2016 at 10:51 AM, Dinusha Senanayaka <[email protected]> >>>> wrote: >>>> >>>>> Hi Chathura, >>>>> >>>>> Does multi-tenancy supports in EMM for device management ? If yes, we >>>>> need to fix [1] as well, which means we cannot keep this configuration in >>>>> the app-manager.xml. Need to take it to registry. >>>>> >>>>> [1] https://wso2.org/jira/browse/APPM-1160 >>>>> >>>>> Regards, >>>>> Dinsuha. >>>>> >>>>> -- >>>>> Dinusha Dilrukshi >>>>> Associate Technical Lead >>>>> WSO2 Inc.: http://wso2.com/ >>>>> Mobile: +94725255071 >>>>> Blog: http://dinushasblog.blogspot.com/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Regards, >>>> >>>> Chatura Dilan Perera >>>> *Associate Tech Lead** - WSO2 Inc.* >>>> www.dilan.me >>>> >>> >>> >>> >>> >> >> >> -- >> Dinusha Dilrukshi >> Associate Technical Lead >> WSO2 Inc.: http://wso2.com/ >> Mobile: +94725255071 >> Blog: http://dinushasblog.blogspot.com/ >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <http://wso2.com/> * > *lean.enterprise.middleware.* > > email: [email protected] > -- Dinusha Dilrukshi Associate Technical Lead WSO2 Inc.: http://wso2.com/ Mobile: +94725255071 Blog: http://dinushasblog.blogspot.com/
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
