Change automate methods to communicate via REST API #44
Comments
|
The preamble is currently cut and pasted into a customer's scripts.
We (always?) pass the requesting/effective user to automate. This is needed for tenancy. One thing to keep in mind. When a user does not have privileges to perform an operation, the user makes a request from automate to perform the operation on their behalf. So it is essentially a mechanism to escalated privileges. So ignoring the fact that we don't have the user's password, we also don't properly establish the escalated user's identity when running automate methods. UPDATE: not positive this is the intent of automate. |
Oh that's really interesting. |
|
This issue has been automatically marked as stale because it has not been updated for at least 6 months. If you can still reproduce this issue on the current release or on Thank you for all your contributions! |
|
For Ansible Playbooks we have enhanced the REST-API to allow access to the Automate Workspace. The engine creates a token and passes the token to the Ansible Playbook as an extra var which can be used by the playbook to connect to our REST API and access the workspace, update the workspace and also pass back updates to the workspace. |
OverviewWhen an automate method is called, a workspace ( drb spawns a child process and the child process obtains a drb reference to the Again: All manageiq provided services are provided from within the server process, accessible via GoalGetting away from relying upon drb needs 2 steps:
Benefits:
AccessThe client will be able to perform some functionality without the server. These methods will be moved into the child process.
Concepts needed:
SpawnWe currently have a number of ways of invoking automate.
Also there are a number of templates to invoke:
|
Much of this was discussed at the ManageIQ design summit for Botvinnik. However, @mkanoor and I recently sat down and brainstormed our way through many of the larger problems, and we think we've come to a cleaner design.
There may be more things I'm not thinking of, but I just wanted to start getting this information out there. Let's keep this document updated as we find more issues and/or come up with more ways to solve them.
Automate currently runs methods by
This causes a number of problems and headaches, which may be able to be addressed by moving to a REST API based implementation. Some notable issues:
DRb requires server side object management so that the server doesn't garbage collect objects in use by the client. This is a huge headache which will just go away with REST.
Every time we add a new object or method we must manually expose it via automate. This is prone to error. This would instead become an exercise in exposing via the REST API, which in nearly all cases should be done anyway.
DRb is used to handle interactions with the automate workspace, which is in the server's memory, from the client. This can be handled by dumping the workspace into some format like JSON or YAML, and passing it on STDIN into the launched process.
The automate method preamble would take STDIN and hold it in memory, lazy loading it on first access. If the method needs to modify the workspace, then it can be modified.
$evmwould no longer be special and can just be a simple object defined in the preamble that has the knowledge of manipulating the workspace in this manner.$evm.logcould even just write directly to the log in question or could write to STDOUT.In the postamble we will dump the workspace to STDOUT. In order to prevent collision with user usage of STDOUT, we can prefix the dump with some sort of delimiter (e.g.
"=" * 80). STDERR can be used to transfer any exception, or perhaps that becomes part of the workspace that's dumped into STDOUT. Again, a delimiter might be necessary.The server, when it detects that the child process has completed, will read from the STDOUT of the child process, find the last delimiter, and process the workspace back into memory, if changed.
There may be optimizations here to prevent unnecessarily dumping and loading the workspace.
DRb is also used for database interaction. The database interaction that is currently done via service models, can be done completely through the REST API. A Ruby gem needs to be created from the cfme_client code, which additionally has more of an OO design. (I'll call it manageiq_client for reference). Once that's available, then the
$evm.vmdbcan just be a front for accessing those objects from the manageiq_client gem. We could even deprecate$evm.vmdbin favor of having the automate methods use the normal manageiq_client gem directly.For example, currently
$evm.vmdb["vm", 21]returns aMiqAeServiceVmVmwareinstance for VM 21. If the REST API gem had it's own OO based types, I could see$evm.vmdb["vm", 21]instead calling the manageiq_client gem, ultimately returning aManageiqClient::Vminstance for VM 21With this in place, I think the entirety of the service models just goes away
DRb is also used for built-in methods (like send_email). This can be handled by exposing them from the REST API, and passing the dumped workspace from the method as a parameter to the REST API. These may need some sort of system-only access rules, but then again, maybe not.
Other thoughts:
TODO
$evmobject that we haven't even looked at likeget/set_state_var,instance_*, etccc @gmcculloug @mkanoor @tinaafitz @chessbyte
cc @abellotti (re: REST API stuff and cfme_client split out into manageiq_client gem)
cc @kbrock (re: system-only access rules)
This issue was moved to this repository from ManageIQ/manageiq#2215, originally opened by @Fryguy
The text was updated successfully, but these errors were encountered: