On 07/29/2011 03:09 PM, Hugh Brock wrote:
Hello all.
We've had a lot of good discussion on the Aeolus list [1] about authorization and identity lately, and also about the intersection points of Aeolus and Katello. However I have been slow (sorry!) to suggest and update the requirements and user stories for this integration, and that has left folks asking a lot of questions about the features that are affected by that integration, in particular:
We will eventually need a UI for creating and managing templates, assemblies, and deployables -- where's that gonna go?
Precisely which components have to talk to each other securely in a system where Katello and Conductor work together?
Is there a need for an independent permission system in the Warehouse? What about an independent identity system?
One of the very cool features VCloud has is the ability to take a bunch of applications -- really, VM templates -- and put them in a "Catalog" that an admin can grant or revoke permission on for a set of users. The virtue of the catalog is that it gives admins an easy way to manage, say, "all the financial apps that are approved for production," or "the apps that are in testing this week." We need something like this for Aeolus, but how does it work exactly, and which part of the system owns it?
I've been in a lot of meetings this week where we talked about these questions, so I'm going to propose some answers here based on that. There are a ton of unanswered questions as well, and I'm hopeful that Aeolus and Katello folks can help answer them here.
(Katello folks, apologies for dumping a mostly-aeolus-centered design doc into your midst, but I thought you guys might want to know what we're thinking about too. Please feel free to comment on either or both lists.)
- Template design and management
=================================
(By "Template," I mean "Image templates, assembly definitions, and deployable definitions")
We've had quite a bit of early user feedback asking, in no uncertain terms, for a nice GUI to let users define templates. We removed our nascent template definition UI from Conductor for the 0.3.0 release because it didn't feel right there, which I continue to think was the right idea, but there is clearly a need for such a GUI to exist somewhere.
Fortunately, there is another project very close to Aeolus called Katello [2]. Katello's mission in life is allowing users to define bare-metal systems and manage their access to the software that should be provisioned on those systems. As such, it has as a core feature providing a UI for creating "System templates."
I believe, and I think the Katello folks agree, that Katello users would benefit from being able to use it to define systems that will run in the cloud, as well as bare-metal systems. From there it's not a big leap to say that Katello users will want to define the entire range of templates that Aeolus can use and understand -- image templates, for stuff that gets built pre-boot; system templates (Katello) or assemblies (Audrey), for stuff that happens to a system post-boot; and application templates (Katello) or deployables (Audrey) for hooking systems together post-boot.
Note that the last of these things -- application templates -- are also really useful for the bare-metal world. Given a set of system templates, and the ability to specify a set of systems that work together, it's not a big stretch to think that Katello users will want a way to provision and launch that set of systems -- an application -- either on a set of bare-metal machines, *or* in a cloud provided by Conductor.
Of course, it will be some time before the Katello folks can design and build the whole UI for managing all three kinds of Aeolus templates and their interactions and dependencies. However, we don't have to wait for that to happen before we can start thinking about making Conductor and Katello work together. For release 0.4.0, I would think we could get by with the following features:
Katello provides an API that, given a user Katello knows about, will return all the Katello system templates that user has permission to see. (Note that templates in Katello are grouped by "environment," and that a user can have permission on more than one environment, so we'll have to deal with that hierarchy in the API somehow.)
The Aeolus team builds a UI piece in or next to Conductor will allow the user to:
map those templates to a catalog (more about this later)
map non-Katello templates (assemblies/deployables) to a catalog. For now this could be pretty much the same mechanism that our "Suggested Deployable" UI uses now -- store a URL of a deployable to use
Another UI piece, in or next to Conductor, will allow a user to:
map a catalog to a pool
check to see if the templates in that catalog have been built into images that have been pushed to the cloud provider accounts that the pool has access to
ask the Image Factory to build and push any templates that have *not* been built in the available accounts
display the status of the build(s)
Hugh... can you map out 2 stories and a proposed set of api calls? I am thinking the following:
1) As a user, I build a template and would like to have it launched in the cloud.
2) As a user, I am building out a catalog and launch it.
I am thinking something along the lines of story (2) at
Somewhere in this process a translation step between the Katello system template and the Factory image template will need to happen. I don't particularly care where that step is. And it's important to note that eventually we will be passing Katello image templates to Factory, not Katello system templates -- hacking up the system template to get an image definition out of it is a temporary first step.
I also think that in general, we should not be importing the actual template into a catalog, but rather just importing a reference to it so that we don't have duplicate copies of templates floating around. I'm willing to be argued out of this however.
Some folks I talked to on the Katello side wondered if they should be able to tell something on the Aeolus side "Build this thing right now." I'm willing to say Conductor should provide a convenience API to do this, but it's important to note that Katello would need to be able to tell Conductor what pool (and hence what cloud providers) it wants the image built for, and provide a user who is authorized to push images to those providers.
(One thing I notice as I write this is that we are going to need to pass user identity around fairly soon to accomplish this, which makes me think a central identity store is probably a firmer requirement for 0.4.0 than I initially thought.)
So if we take the above feature list as "good enough" for 0.4.0, what does that tell us about who needs to talk to whom?
- Secured communications
=========================
I said above that we will have some UI in a catalog manager that hits a Katello API to retrieve all the system templates a user is allowed to see. For that to work, we're going to need to be able to give Katello a user; and for that to work, we're going to need a common identity store. Whether any of it is encrypted or not for this go-round is not terribly important I don't think, although of course it will have to be for production.
I also said that the catalog manager will need to ask the Factory to build images for a set of cloud provider accounts. So there is going to have to be a channel to do that. However, I do not see anywhere here a user story that would require the catalog manager to act *on behalf of a user*; Conductor has already checked to see if the building user is allowed to build and push to the set of cloud provider accounts for the given pool. So I don't think the Factory needs to know anything about identity -- and, in fact, I don't think it really matters if non-Conductor users call the Factory and ask it to do stuff. Without the cloud provider account credentials, which are locked up in Conductor, there shouldn't be anything the user can do with the Factory that is harmful.
Finally, I implied (without really saying so) that Conductor, or the catalog manager wherever that lives, needs to read information about the state of images from the warehouse, and push images to the warehouse. This means there will need to be a channel between the catalog manager and the Warehouse. However, I do not see anywhere here a user story that would require the catalog manager to talk to the Warehouse *on behalf of a user* - the ability to push, update, or launch images is all governed by Conductor's control of the cloud provider account credentials, so I don't think there is any reason for the Warehouse to have a notion of images belonging to users, or any understanding of user identity. Note that THIS IS A BIG CHANGE from what I and others have said in the past, but it does simplify what we have to do in the short term quite a bit.
I believe the remaining secured communications -- between Conductor and Deltacloud, Conductor and Audrey, etc. -- are well enough understood that I don't have to discuss them here.
So, to sum up:
Conductor (and its catalog manager) and Katello need to share user identity, and fairly soon
Conductor and Factory and Warehouse do not need to share user identity
In fact, Conductor and Katello are the *only* two components in this system that need to share identity.
I realize I've just answered my third question above, about whether the Warehouse needs to know anything about authentication or authorization. I believe the answer is no.
I think we can live with shared username space for now. If we can assume a default LDAP tree, we should be ok.
-- bk