feature/VONK-7767: Add information about changes to multi-tenancy #605
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cknaap
requested changes
Jan 7, 2025
features_and_tools/multi-tenancy.rst
Outdated
Comment on lines
78
to
89
| :TenantHeader: The name of the HTTP header to read the tenant from. This is only evaluated if ``AllowTenantFromHeader`` is set to ``true``. | ||
| :TenantClaim: The name of the claim in the authorization token to read the tenant from. This is only evaluated if ``AllowTenantFromClaim`` is set to ``true``. | ||
| :TenantLabelSystem: The value of the ``meta.security.system`` element to use for the tenant security label. You can only choose this once. | ||
| :AllowTenantFromHeader: The tenant may be specified with an HTTP header, with the name specified in ``TenantHeader``. | ||
| :AllowTenantFromClaim: The tenant may be specified with a claim in the authorization token, with the name specified in ``TenantClaim``. | ||
| :RemoveTenantLabelFromResponse: The label will be removed from the resource by default, but this behaviour can be disabled if this option is set to ``false``. | ||
| :ResourceAccess: This structure allows to define set of conditional logic that will be applied to each request. | ||
| :ResourceAccess:Priority: This value will be used to choose most important logic entry if multiple entries would match the request. | ||
| :ResourceAccess:Tenant: This value specifies whether the tenant is required to be specified when accessing the resource. It has to be either ``Required`` or ``Shared``. | ||
| :ResourceAccess:Profiles: This value specifies a list of ``meta.profile`` values to look for in the resource. The resource should have at least one of those values. | ||
| :ResourceAccess:ResourceTypes: This value specifies a list of resources this configuration will be applicable to. When left empty, it is assumed to be not constrained. | ||
| :ResourceAccess:Filter: This value specifies a filter that resources must fulfill. |
There was a problem hiding this comment.
This gets ugly to read. I suggest a nested list:
Suggested change
| :TenantHeader: The name of the HTTP header to read the tenant from. This is only evaluated if ``AllowTenantFromHeader`` is set to ``true``. | |
| :TenantClaim: The name of the claim in the authorization token to read the tenant from. This is only evaluated if ``AllowTenantFromClaim`` is set to ``true``. | |
| :TenantLabelSystem: The value of the ``meta.security.system`` element to use for the tenant security label. You can only choose this once. | |
| :AllowTenantFromHeader: The tenant may be specified with an HTTP header, with the name specified in ``TenantHeader``. | |
| :AllowTenantFromClaim: The tenant may be specified with a claim in the authorization token, with the name specified in ``TenantClaim``. | |
| :RemoveTenantLabelFromResponse: The label will be removed from the resource by default, but this behaviour can be disabled if this option is set to ``false``. | |
| :ResourceAccess: This structure allows to define set of conditional logic that will be applied to each request. | |
| :ResourceAccess:Priority: This value will be used to choose most important logic entry if multiple entries would match the request. | |
| :ResourceAccess:Tenant: This value specifies whether the tenant is required to be specified when accessing the resource. It has to be either ``Required`` or ``Shared``. | |
| :ResourceAccess:Profiles: This value specifies a list of ``meta.profile`` values to look for in the resource. The resource should have at least one of those values. | |
| :ResourceAccess:ResourceTypes: This value specifies a list of resources this configuration will be applicable to. When left empty, it is assumed to be not constrained. | |
| :ResourceAccess:Filter: This value specifies a filter that resources must fulfill. | |
| - TenantHeader: The name of the HTTP header to read the tenant from. This is only evaluated if ``AllowTenantFromHeader`` is set to ``true``. | |
| - TenantClaim: The name of the claim in the authorization token to read the tenant from. This is only evaluated if ``AllowTenantFromClaim`` is set to ``true``. | |
| - TenantLabelSystem: The value of the ``meta.security.system`` element to use for the tenant security label. You can only choose this once. | |
| - AllowTenantFromHeader: The tenant may be specified with an HTTP header, with the name specified in ``TenantHeader``. | |
| - AllowTenantFromClaim: The tenant may be specified with a claim in the authorization token, with the name specified in ``TenantClaim``. | |
| - RemoveTenantLabelFromResponse: The label will be removed from the resource by default, but this behaviour can be disabled if this option is set to ``false``. | |
| - ResourceAccess: This structure allows to define set of conditional logic that will be applied to each request. | |
| - Priority: This value will be used to choose most important logic entry if multiple entries would match the request. | |
| - Tenant: This value specifies whether the tenant is required to be specified when accessing the resource. It has to be either ``Required`` or ``Shared``. | |
| - Profiles: This value specifies a list of ``meta.profile`` values to look for in the resource. The resource should have at least one of those values. | |
| - ResourceTypes: This value specifies a list of resources this configuration will be applicable to. When left empty, it is assumed to be not constrained. | |
| - Filter: This value specifies a filter that resources must fulfill. |
There was a problem hiding this comment.
As we discussed, since it's no longer strictly under tenancy, I made it into its own page and kept this one as is :)
features_and_tools/multi-tenancy.rst
Outdated
| :ResourceAccess:Priority: This value will be used to choose most important logic entry if multiple entries would match the request. | ||
| :ResourceAccess:Tenant: This value specifies whether the tenant is required to be specified when accessing the resource. It has to be either ``Required`` or ``Shared``. | ||
| :ResourceAccess:Profiles: This value specifies a list of ``meta.profile`` values to look for in the resource. The resource should have at least one of those values. | ||
| :ResourceAccess:ResourceTypes: This value specifies a list of resources this configuration will be applicable to. When left empty, it is assumed to be not constrained. |
There was a problem hiding this comment.
Suggested change
| :ResourceAccess:ResourceTypes: This value specifies a list of resources this configuration will be applicable to. When left empty, it is assumed to be not constrained. | |
| :ResourceAccess:ResourceTypes: This value specifies a list of resource types this configuration will be applicable to. When left empty, it is assumed to be not constrained. |
- 'resources' and 'resource types' are casually confused, but as FHIR pro's we should not do that. A 'resource' is an instance.
- I assume you update this based on our discussed meaning of an empty array (i.e.: nothing matches).
cknaap
requested changes
Jan 13, 2025
There was a problem hiding this comment.
It looks like this comment was not processed yet.
Some of this PR can only be finished after further refinement of VONK-6902
features_and_tools/multi-tenancy.rst
Outdated
| }, | ||
|
|
||
| :TenantHeader: The name of the HTTP header to read the tenant from. This is only evaluated if ``AllowTenantFromHeader`` is set to ``true``. | ||
| :TenantClaim: The name of the claim in the authorization token to read the tenant from. This is only evaluated if ``AllowTenantFromClaim`` is set to ``true``. | ||
| :TenantLabelSystem: The value of the ``meta.security.system`` element to use for the tenant security label. You can only choose this once. | ||
| :AllowTenantFromHeader: The tenant may be specified with an HTTP header, with the name specified in ``TenantHeader``. | ||
| :AllowTenantFromClaim: The tenant may be specified with a claim in the authorization token, with the name specified in ``TenantClaim``. | ||
| :RemoveTenantLabelFromResponse: The label will be removed from the resource by default, but this behaviour can be disabled if this option is set to ``false``. | ||
| :ResourceAccess:Filter: This value specifies a filter that resources must fulfill. |
There was a problem hiding this comment.
ResourceAccess is now a new top-level configuration entry, right. So I think it should be removed here altogether?
There was a problem hiding this comment.
Indeed, missed a line.
| :Priority: Will be used to choose most important logic entry if multiple entries would match the request. | ||
| :Tenant: Specifies if the tenant is required to be specified when accessing the resource, or should we use internally a ``shared`` tenant. It has to be either ``Required`` or ``Shared``. | ||
| :Authorization: Specifies if the authorization is required when accessing the resource. It has to be either ``Required`` or ``None``. | ||
| :Filter: Specifies a filter that resources must fulfill. |
There was a problem hiding this comment.
Reading this I certainly think that we need some additional refinement.
The first part is handled with a warning above tenancy implications, not sure how well the second part fits being described in multi-tenancy? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.