Jump to: navigation, search

PolicyGuidedFulfillmentLibertyPlanning MuranoAPI

Revision as of 09:10, 12 May 2015 by Radek Pospisil (talk | contribs) (Murano REST API)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This topic is part of PolicyGuidedFulfillmentLibertyPlanning

Improving Murano API/core-model for better integration

During Kilo development we met limitations of Murano API in following areas

  • Murano REST API
    • REST API supports only single tenant query, so list of all environments returns just environments of tenant for which token was issued. Thus Murano Congress datasource driver can only populate data from single tenant (e.g., Nova REST API is capable to list servers from all tenants).
  • Murano Core Model
    • Core Model can be seen as API, because user is using it when writing Datalog queries in Congress, or integrating with Mistral workflows.

Murano REST API

Current Murano REST API returns list of environments from current tenant only 

GET http://<server-name>:8082/v1/environments 

{
  "environments": [
    {
      "status": "deploying",
      "updated": "2015-05-06T08:14:06",
      "networking": {},
      "name": "test",
      "created": "2015-05-06T08:08:40",
      "tenant_id": "cd9e218f9b894ebdb421e9906fbec15e",
      "version": 1,
      "id": "8cc3187c763f4ca9bc58cdaf89f926d3"
    }
  ]
}

Proposal is to enhance environment REST API with query search all_tenants=true 

GET http://<server-name>:8082/v1/environments?all_tenants=true

{
  "environments": [
    {
      "status": "deploying",
      "updated": "2015-05-06T08:14:06",
      "networking": {},
      "name": "test",
      "created": "2015-05-06T08:08:40",
      "tenant_id": "cd9e218f9b894ebdb421e9906fbec15e",
      "version": 1,
      "id": "8cc3187c763f4ca9bc58cdaf89f926d3"
    },
    {
      "status": "deploying",
      "updated": "2015-05-08T09:34:16",
      "networking": {},
      "name": "test 2",
      "created": "2015-05-08T08:18:20",
      "tenant_id": "8908989abbeec239023489023ccc1234f",
      "version": 1,
      "id": "abecbf88328932bbecbefe82348238b"
    }
  ]
}

Notes

  • accessing an environment detail (and all environment subresources) shall not strictly check project of the token - it shall allows to read environment details for owner or user in admin role in environment's project (so token can be issued for different project that environment's project).
GET http://<server-name>:8082/v1/environments/<env-uuid>
GET http://<server-name>:8082/v1/environments/<env-uuid>/services/

Following rules shall be add and used in Murano policy.json 

"admin_required": "role:admin or is_admin:1",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
"identity:change_password": "rule:admin_or_owner"
  • it also means, that user specified in Murano Congress datasource driver configuration shall be in admin role in projects from which environments will be pull.

Murano Core Model

Enhancement of

  • io.murano.resource.Instance
    • add output serverId property having uuid of server realization of the Instance. It shall be set from the result of deployed Heat stack.
 serverId:
   Contract: [$.string()]
   Usage: Out
Retrieved from "https://wiki.openstack.org/w/index.php?title=PolicyGuidedFulfillmentLibertyPlanning_MuranoAPI&oldid=80969"