stratos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dale Chalfant <>
Subject RE: Is there a way for the super tenant to subscribe a tenant to a service (on behalf of the tenant user)
Date Mon, 18 Aug 2014 11:53:28 GMT
I concur.

From: Nirmal Fernando []
Sent: Monday, August 18, 2014 4:42 AM
To: dev
Subject: Re: Is there a way for the super tenant to subscribe a tenant to a service (on behalf
of the tenant user)

I tend to agree with Amila. These are real world requirements and I think right approach is
to control these high security features based on a permission model.

On Mon, Aug 18, 2014 at 2:06 PM, Amila Maha Arachchi <<>>
I dont agree. Following are my reasons:

1. At the moment only a tenant can subscribe to a service. This has to be done by signing
in to the Stratos manager UI or invoking a rest API. But, Apache Stratos is a PaaS framework.
So, if someone wants to setup a PaaS with Stratos, he should be able to provision services
for tenants without the tenant needing to do it by themselves. For example, if I decide to
setup something like AWS, I will create my own UI. In such an application, I would not want
to expose terms such as tenants, subscription, topology etc. to the users and I might want
to do it on behalf of them. At the moment, I cannot subscribe a tenant user to a service without
knowing his/her credentials. Isn't this a valid requirement?

2. Also assume that I have the above mentioned AWS like application setup and running. There
are users subscribed to services. Assume this to be a paid service and I want to terminate
the subscription of users who has not paid the bill on time. Do I have way to do this?

There are few other reasons such as the vendor having the control in a PaaS etc.



On Fri, Aug 15, 2014 at 7:00 PM, Imesh Gunaratne <<>>

Yes what Pradeep has pointed out is true, this has been done by design. Super tenant cannot
perform operations in tenant space.


On Fri, Aug 15, 2014 at 8:05 AM, Pradeep Fernando <<>>

Adding to that, i sense something wrong with above requirement. tenant is the isolation unit
we use. So other tenants (even the super tenant) should not play around with my tenant space.
(after the initial tenant admin creation, super tenant work is done IIUC)

Tenant admin can do the above operations i guess..

just a thought.


On Fri, Aug 15, 2014 at 4:19 AM, Isuru Haththotuwa <<>>
Hi Amila,
Sorry for the delayed response. In the current implementation, this is not supported.

On Wed, Aug 13, 2014 at 5:34 PM, Amila Maha Arachchi <<>>
Hi Devs,

AFAIU, at the moment when subscribe to a service (via the REST api), we need to provide the
tenant user's credentials.

Following is a sample rest call:
curl -X POST -H "Content-Type: application/json" -d @subscribe.json -k -v -u username@tenantdomain:password

Following is a sample payload.

    "cartridgeType": "appserver",
    "alias": "appservermyorg2",
    "repoURL": "",
    "privateRepo": "true",
    "repoUsername": "gituser",
    "repoPassword": "xxxxxxxxx",
    "commitsEnabled": "true",
    "autoscalePolicy": "stratos_autoscale",
    "deploymentPolicy": "stratos_deployment"

Can I subscribe a tenant on behalf of him/her by giving super admin credentials?

Amila Maharachchi
Senior Technical Lead
WSO2, Inc.;<>

Mobile: +94719371446

Thanks and Regards,

Isuru H.


+94 716 358 048<tel:%2B94719371446>

Pradeep Fernando.

Imesh Gunaratne

Technical Lead, WSO2
Committer & PPMC Member, Apache Stratos

Amila Maharachchi
Senior Technical Lead
WSO2, Inc.;<>

Mobile: +94719371446<tel:%2B94719371446>

Best Regards,

Nirmal Fernando.
PPMC Member & Committer of Apache Stratos,
Senior Software Engineer, WSO2 Inc.

View raw message