-
Notifications
You must be signed in to change notification settings - Fork 16
Redesign Specs #154
base: master
Are you sure you want to change the base?
Redesign Specs #154
Conversation
All is matched with what I learnt from you guys and the discussions. Great job! |
There goes my quiet evening! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did not go through the entire thing, but I have really serious concerns about the way you think you can handle authentication. Come talk to me.
2. An access control list (ACL) can be created by any user (a.k.a. the user creating the access control list will be its owner). | ||
3. Owner of an access control list can add/remove user from the access control list. | ||
4. Owner can transfer the ownership of the access control list to another user. | ||
5. Owner can share an access control list with another user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Define: share. And how is it different from adding a user to the ACL.
* isSnapshot : This flag is `true` in case of snapshot and not an uploaded image | ||
* dataStoreId : Id of the DataStore that gives information about where this image is stored. | ||
|
||
**NOTE:** `(name, ownerUserId) pair is unique key.` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you have an image named openstack-compute
and I try to give you ownership of my own openstack-compute
, that wouldn't work because it hits this constraint. User would have to rename an image.
3. All tag must be deleted before de-provisioning. | ||
|
||
* id : Id of the tag (primary key) | ||
* name : Name of the tag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really think you need ID here. A unique name would be enough, and make the pair (name, nodeId)
unique.
2. DataStore: A filesystem service where images are stored. | ||
3. ProvisionEngine: A service used to (de)-provision a node. | ||
|
||
* The three above tables have `<id>` (primary key), `<name>` (unique key), `<type>`, `<url>` (unique key), `<ip>`, and `<port>` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I strongly disagree with this abstraction. If you think you can make an authentication driver work with that much information, we need to talk. Also why have ip, port
and also url
. I would just keep url
, since that will include also the protocol of communication, which you are missing here.
|
||
*** | ||
|
||
## Vlan |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A driver which supports multiple technologies will not work if you settle on only VLANs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BMI assumes that the underlying network isolation layer (e.g. HIL) is layer-2 based.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should be supporting IB next year as well, in which case IP address doesn't work ... Also eventually omnipath... Agree with L2. Having said that, I don't think its unreasonable that BMI talk to the management network, typically that is just ethernet, i.e., BMI doesn't care about the data networks. For this release, lets call it network, not VLAN, but we can probably only be concerned with VLANs?
**NOTE**: After the example, an explanation for each parameter must be provided. | ||
|
||
The response header will contain the HTTP status code: | ||
* 200 for success |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the cases of success but no body returned in the response, please use 204.
docs/redesign-specs/REST/Api.md
Outdated
|
||
Register a data store. | ||
|
||
`POST /dataStores` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the camelCasing. datastores
**NOTE**: `Response Body Example (Failure)` is not required for every API call | ||
|
||
#### Authentication (Optional): | ||
* If Authentication is required by REST API call then the Credentials/Token should be passed using `HTTP Basic Auth`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Different authentication methods have different ways to pass credentials. Please, please, do not do this. Use a middleware (like keystonemiddleware) or apache module for this.
* id : Id of the user (primary key) | ||
* name : Name of the user (unique key) | ||
* type : Type of user (ordinary user or admin) | ||
* quota : Quantity of datastore disk-space allocated to a user (GB) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this for the disk space? I am confused by figure, where the datastore/storage provider is coupled with the database. I think that storage provider should be closely associated with the iscsi service. You really want a single driver for communicating with storage to clone volumes... and to set up ISCSI end points for those volumes. For quota, is this the absolute size of the volumes, or is this the new storage incurred due to the clone; in many case the latter will be orders of magnitude less
* name : Name of the user (unique key) | ||
* type : Type of user (ordinary user or admin) | ||
* quota : Quantity of datastore disk-space allocated to a user (GB) | ||
* status : Current status of user (e.g. active, inactive, disabled, etc.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this mean? How can you tell if someone is active? If you have any machines currently backed by BMI then it is active, so user stays active for days/weeks/months? What is purpose of this?
* type : Type of user (ordinary user or admin) | ||
* quota : Quantity of datastore disk-space allocated to a user (GB) | ||
* status : Current status of user (e.g. active, inactive, disabled, etc.) | ||
* autheticationId : Id of the authentication service using which a user will be verified in a multi-tenant setup. A user will specify a token (obtained from the authentication service) while invoking the REST API. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't know enough, but that doesn't seem right to me...
4. Snapshot is a special type of image that is created by deep copying the existing state of a provisioned node's image. | ||
5. Image/Snapshot owner can be different from the owner of an ACL. | ||
6. Ownership of the image/snapshot can be transfered to another user. | ||
7. Image/Snapshot can be shared to a set of users. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if shared, and used, can the "owner" delete it? If public, who owns it?
5. BMI creates an interface (physical or virtual) on the provisioning engine for the users' provisioning network. | ||
|
||
* id : Id of the provisioned node (primary key) | ||
* macAddress : Mac address of the provisioned node (unique key) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather use terms like networkAddress, and say, e.g., macAddress, some day we will move away from ethernet
* cloneName : Name of the cloned image (unique key) | ||
* nic : NIC of the provisioned node | ||
* ownerUserId : Id of the user who owns the provisioned node | ||
* provisionEngineVlanId: Id of the provisionEngineVlan. This column represents the `(provisioning engine, vlan interface)` pair that is used to provision the given node. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we call network, and say, for example Vlan... some day move away from Vlans...
- Support for different authentication services (e.g. LDAP, Kerberos, etc.). | ||
- Support for different data stores (e.g. Lustre, etc). | ||
- Support for different network isolators. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see the mechanisms you are using... do we have a plugin architecture? How configure...
First Draft of BMI Redesign specs