Re: [abacus] Usage processing authorization, was: Usage submission authorization

Home Messages Hashtags Subgroups

#2207

Re: [abacus] Usage processing authorization, was: Usage submission authorization

Jean-Sebastien Delfino #2207 That way we can also avoid scenarios where a resource provider submitting usage to an intermediate step in the pipeline. That's a great point, had not thought about that... So now with that we'll have a clear delineation between usage submission from a resource provider and its processing inside the Abacus pipeline. - Jean-Sebastien On Fri, Oct 9, 2015 at 5:05 PM, Saravanakumar A Srinivasan < sasrin(a)us.ibm.com> wrote: So, I'm wondering if it still makes sense to use the resource provider's token inside our asynchronous usage processing pipeline. Shouldn't we require the individual processing steps to obtain their own tokens instead? Initial thought was to use resource provider's token for real time processing and for error and recovery or delayed processing scenarios we wanted to use our own token. I agree with your comments on the possibility of running into issues when we use the resource providers' token while doing slightly delayed processing. So will update the implementation to use our own token at processing pipeline. That way we can also avoid scenarios where a resource provider submitting usage to an intermediate step in the pipeline. Thanks, Saravanakumar Srinivasan (Assk), -----Jean-Sebastien Delfino <jsdelfino(a)gmail.com> wrote: ----- To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com> Date: 10/08/2015 10:30AM Subject: [cf-dev] Re: Re: Re: [abacus] Usage processing authorization, was: Usage submission authorization OK that confirms what I thought. Thanks! Assk, any thoughts as well? Did that make sense to you? -- Jean-Sebastien On Wed, Oct 7, 2015 at 6:09 PM, Piotr Przybylski <piotrp(a)us.ibm.com> wrote: Sebastien So, I'm wondering if it still makes sense to use the resource provider's token inside our asynchronous usage processing pipeline. Shouldn't we require the individual processing steps to obtain their own tokens instead? It seems natural that the Abacus should use its own token - or tokens to authenticate and authorize steps in the pipeline. After the submission Abacus 'takes custody' of the submitted data so it should be solely responsible for authrizing its processing. Piotr Piotr Przybylski \| IBM Bluemix \| piotrp(a)us.ibm.com \| 650-645-8213 [image: Inactive hide details for Jean-Sebastien Delfino ---10/07/2015 09:21:05 AM---Hi all, A few more thoughts on a different, but re]Jean-Sebastien Delfino ---10/07/2015 09:21:05 AM---Hi all, A few more thoughts on a different, but related subject. From: Jean-Sebastien Delfino <jsdelfino(a)gmail.com> To: "Discussions about Cloud Foundry projects and the system overall." < cf-dev(a)lists.cloudfoundry.org> Date: 10/07/2015 09:21 AM Subject: [cf-dev] Re: [abacus] Usage processing authorization, was: Usage submission authorization ------------------------------ Hi all, A few more thoughts on a different, but related subject. We're using the resource provider's token and scopes to authorize usage submission to our usage collector service. I agree with that and have confirmed it in my answer to Piotr's question below. It also looks like we're using the resource provider's token as well to flow usage data through our usage processing pipeline (after we've authorized the usage submission, validated that usage and taken responsibility for it). I'm wondering if we couldn't find a better approach, as we will run into a number of issues with this: - processing delays in the pipeline can cause the token to expire, at that point the resource provider is out of the loop, can't do anything about it, and it won't make much sense anyway to ask the resource provider for a new token way after it has submitted its usage; - when restarting an Abacus service and recovering after a processing interruption, we don't have a valid resource provider token either; - more generally, I find a bit odd to use the resource provider's token in usage processing steps down the Abacus pipeline, as they're really just processing usage passed to them by the previous Abacus processing step (or could have just read that usage from one of our usage DBs, and again the resource provider wouldn't be so relevant as it wouldn't even have written that usage to that DB itself.) So, I'm wondering if it still makes sense to use the resource provider's token inside our asynchronous usage processing pipeline. Shouldn't we require the individual processing steps to obtain their own tokens instead? Thoughts? -- Jean-Sebastien On Tue, Oct 6, 2015 at 10:36 PM, Jean-Sebastien Delfino < jsdelfino(a)gmail.com <jsdelfino(a)gmail.com>> wrote: Hi Piotr, > what kind of authorization is required to submit usage to Abacus ? > Is the oauth token used for submission [1] required to have particular scope, specific to resource or resource provider ? A resource provider is expected to present an OAuth token with the usage it submits for a (service or runtime) resource. That OAuth token should include: - a user id uniquely identifying that resource provider; - an OAuth scope named like abacus.usage.<resource_id>.write. The precise naming syntax for that scope may still evolve in the next few days as we progress with the implementation of user story 101703426 [1]. > Is there a different scope required to submit runtimes usage (like cf bridge) versus other services or its possible to use single scope for all the submissions I'd like to handle runtimes and services consistently as they're basically just different types of resources, i.e. one scope per 'service' resource, one scope per 'runtime' resource. We're still working on the detailed design and implementation, but I'm not sure we'd want to share scopes across (service and runtime) resource providers as that'd allow a resource provider to submit usage for resources owned by another... @assk / @sasrin, anything I missed? Thoughts? -- Jean-Sebastien On Tue, Oct 6, 2015 at 6:29 PM, Piotr Przybylski <piotrp(a)us.ibm.com <piotrp(a)us.ibm.com>> wrote: Hi, what kind of authorization is required to submit usage to Abacus ? Is the oauth token used for submission [1] required to have particular scope, specific to resource or resource provider ? Is there a different scope required to submit runtimes usage (like cf bridge) versus other services or its possible to use single scope for all the submissions ? [1] - https://www.pivotaltracker.com/story/show/101703426 <https://www.pivotaltracker.com/story/show/101703426> Piotr attachment.html
More All Messages By This Member

View All 5 Messages In Topic

#2207

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.

Home Hashtags Subgroups Terms