[wildfly-dev] Proposal to add notifications to WildFly management model and API

Brian Stansberry brian.stansberry at redhat.com
Tue Jul 8 17:07:48 EDT 2014


On 7/7/14, 9:46 AM, Jeff Mesnil wrote:
> # Add Notification support to WildFly Management
>
> Tracked by https://issues.jboss.org/browse/WFLY-266
>
> Use Cases
> ---------
>
> Notifications are an useful mechanism to observe management changes on WildFly servers.
> It allows an administrator to be informed of changes outside of his own actions (e.g. a server has been killed, a new application is deployed, etc.)
>
> Currently WildFly lacks notifications and users that were depending on JMX notifications in previous versions have no similar feature to use.
>
> The most expected use cases for WildFly notifications are:
> - enhance UX for Web console. Using notifications, the Web console could notify the users of changes outside its own actions.
> - replacement for JMX notifications. Users that were listening for JMX notifications to observe management changes would have a similar feature using WildFly own notifications
> - integration with JMX. Notifications emitted by WildFly could be converted and made available using JMX notifications (including notifications for mbean registered/unregistered)
>
> Part 1: Notification Definition
> -------------------------------
>
> A resource will define the notifications it emits. These definitions will be added to the attributes and operations definitions on a resource.
>
>        {
> 	  "description" => "A manageable resource",
>            "attributes" => {
> 	     ...
>            },
> 	  "operations" => {
> 	     ...
>            },
> 	  "notifications" => {
> 	     "resource-added" => {
> 	        ...
> 	     }
> 	  },
> 	  "children" => {
> 	     ...
>            }
>         }
>
> The description of a notification will be composed of:
>
> * type - String - the type of notification (resource-added, server-stopped, etc.)
> * description - String - i18ned description of the notification
> * access-constraints - the RBAC access constraints that controls who can receive the notifications
> * data-type - ModelType or complex structure - optional - only present if the notification will have a data value. data-type will detail the structure of the data value, enumerating the value's fields and the type of their value
>
> The read-resource-description will be enhanced with a notifications parameter (boolean) to include the notifications descriptions (default value is false, same as the operations parameter).
>
> The ManagementResourceRegistration interface will be enhanced to register a notification definition with registerNotification(NotificationDefinition notification). The NotificationDefinition interface corresponds to the detyped representation of a notifications and comes with a builder API.
>
> Part 2: Emitting a notification
> -------------------------------
>
> A notification can be emitted in any OperationStepHandler using the OperationContext.emit(Notification method)
>
>      public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
>
>         // perform some actions
>         ...
>
>         context.emit(new Notification(SERVER_RESTARTED_NOTIFICATION, address, ROOT_LOGGER.serverHasBeenRestarted()));
>         context.stepCompleted();
>      }
>
> The notification is *not* emitted (i.e. delivered to interested parties) when OperationContext.emit() is called. It is emitted at the end of the operation step only if it is successful. A call to OperationContext.emit() will have no effect if the operation is rolled back.

To clarify: I believe your intent was delivery is at the end of the 
overall operation execution, when it commits, not at the end of the 
"operation step". I mention this because an operation execution can 
consist of many steps, with even a basic write involving 2 or 3.

> Notification emission is done asynchronously using the server thread pool and does not block the execution of the operation that triggered the notification: having zero or any notification handlers must have no impact of the execution of the operation.
>
> A Notification is a simple Java class that represents the notification. It is composed of:
>
> * type - String - the notification type
> * address - PathAddress - the address of the resource that emits the notification
> * message - String - the i18ned description of the message
> * timestamp - long - the timestamp of the notification. It is set when the Notification object is created.
> * data - ModelNode - optional - a detyped representation of data associated to the notification. If a notification includes a data field, its definition must describe it (in its data-type parameter).
>
> If RBAC is enabled, the notification access-constraints will be checked to ensure that the handler have the required privileges to receive the notification. Notification will potentially contain critical information (e.g. if a security-credential attribute is updated, the notification will contain its old and new values) and must be constrained accordingly.
>

We also need to use SecurityManager permissions around the handler 
registration. Non-remote registrations basically get all permissions, 
same as internal management clients like the deployment-scanner do. We 
control the ability of internal management clients like the scanner to 
create a ModelControllerClient using SecurityManager permissions.

> Part 3: Global Resource Notifications
> ——————————————————
>
> In the same way that some operations are available for any resource (e.g. add, remove, read-resource-description), some notifications will be added to any resource of WildFly management model:
>
> * resource-added - when a resource is added, it emits a resource-added notification
> * resource-removed - when a resource is removed, it emits a resource-removed notification
> * attribute-value-written - when a write-attribute operation is performed successfully on a resource, it emits a attribute-value-written    notification. The notification's data field contains the following information:
>    * name - String - the name of the attribute
>    * old-value - the detyped representation of the previous value of the attribute
>    * new-value - the detyped representation of the new value
>

>
> Part 4: Notification Handlers
> ——————————————
>
> Any interested parties can receive notifications by registering a NotificationHandler using the ModelController.getNotificationSupport().registerNotificationHandler(source, handler, filter) method.
>
> The source is a path address to handle notifications emitted by resources at this address.
> The NotificationHandler is an interface with a single handleNotification(Notification notification) method.
> The isNotificationEnabled(Notification notification) is an interface with a single isNotificationEnabled(Notification notification) method to filter out uninteresting notifications.
>
> There is a similar unregister method to unregister a (handler, filter)
>
> To be useful, the source path address will have to accept wildcards for the address' values:
> * /subsystem=messaging/hornetq-server=* to receive notifications emitted by any hornetq-server resources
> * /subsystem=messaging/hornetq-server=*/jms-queue=* to receive notifications emitted by any jms-queue on any hornetq-server resources
>
> Wildcards for address' keys or key/value paris are not allowed (/subsystem=messaging/*=*/jms-queue=* and /subsystem=messaging/*/jms-queue=* are not valid).
>
> This notion of wildcard for the resource addresses should be made to match current usage (e.g. in the CLI).
>
> The main reason for the wildcard is for the resource-added/resource-removed notifications. I find more intuitive to have the notifications at the same resource-level than their corresponding add/remove operations.

Agreed. I don't think this should be an issue. We shouldn't use the 
Resource tree anyway as the data structure for retaining the registered 
handlers; a separate structure is needed. The wildcards are fine as long 
as there's a relevant ManagementResourceRegistration.

> However until the resource is created, there is no way to register a notification listener on it without using a wildcard.
> If that proves problematic, we could change this approach with two alternatives:
> * have a single well-known resource emit the notifications for all resource (that's the JMX approach). A likely candidate would be /core-service=management
> * the resource-added/-removed notifications can be emitted by the resource parents (but it only fixes the issue for the last leaf of the address tree…)
>
> I still have questions about RBAC enforcements and it is possible that the registration of a handler will have to be done with additional metadata identifying the user roles wrt RBAC...
>

It's not critical until you get to Part 7 but we'll need to sort it out 
before even starting on Part 7.

The user-related inputs into the existing RBAC logic (see 
org.jboss.as.controller.access.Authorizer) are the Caller and 
Environment. The Caller basically just wraps a Subject, exposing the 
data from the relevant Principal types (name and groups).

We could just cache the Caller in effect when the handler is registered 
and use it for authorizing delivery of each notification. The problem is 
if the user if no longer valid or the groups associated with the user 
have changed, this won't be picked up.

We don't want to cache any "roles". First, the mapping of the Caller to 
roles can change from time to time so we don't want to cache that 
result. Second, "roles" are not first-class parts of the Authorizer API; 
they are used by our standard impls of it, but we want to allow custom 
impls that may not care about roles.

> Part 5: Domain Notifications
> ——————————————
>
> Notifications are also intended to work in domain mode. In particular, they will be used to observe server state.
>
> The following notifications will be emitted by resources at /host=XXX/server-config=YYY (i.e. the resource to start/stop/etc. a server):
> * server-started
> * server-stopped
> * server-restarted
> * server-destroyed
> * server-killed
>
> Part 6: Integration with local JMX
> —————————————————
>
> The jmx subsystem will be updated to leverage the WildFly notifications and expose them as MBean notifications in our jmx facade for the management model:
> * the WildFly notification description will be converted to MBeanNotificationInfo and added to the MBeanInfo
> * when a JMX notification listener is added to an ObjectName, a WildFly NotificationHandler will be added to the path address corresponding to the ObjectName.
> * depending on the user feedback, we may provide a hack to convert some WildFly notifications to their well-known JMX equivalent notifications (e.g. resource-added => jmx.mbean.registered).
>
> In a first step, integration will be limited to use of JMX locally. Remoting will not be supported.
>

Everything up to this point I'd like to see in 8.2.

> Part 7: Integration with Remote Management API
> ———————————————————————
>
> We will enhance the remote management native API to register/unregister a notification handler from the ModelControllerClient
>
>      void registerNotificationHandler(ModelNode resourceAddress, NotificationClientHandler handler, NotificationClientFilter filter);
>
> The client contract will have to taken into account reconnection when server is reloaded (possibly by caching the handler & filter and register them again after reconnection to the server...)
>

Last we talked about this we planned to do a new controller client 
variant that could better handle this.

> The Management HTTP API will also be enhance to support notifications with its REST API.
> A neat addition will be to provide a browser-specific way to push notifications to the browser (e.g. using Server-Sent Events or Web Sockets).
> => the Web Console is the recipient for this feature and will have their say in how they prefer to consume notifications
>
> Part 8: Integration with Remote JMX
> —————————————————
>
> Once the WildFly Management API will support notifications (for both native and HTTP), we can add support to JMX remotely (if there is any user interest for it).
>
> Part 9: Web Console UX improvement
> —————————————————
>
> Once the Management HTTP API supports notifications, the Web console can leverage it to improve its UX.
>
> This is a task that touch different parts of the app server (mainly in wildfly-core though) and I intend to split it in different JIRA issues (approx. one for each part) that can be merged one after the other instead of a big huge commit.
>
> What do you think?
>

Sounds good.

> jeff
>
>


-- 
Brian Stansberry
Senior Principal Software Engineer
JBoss by Red Hat


More information about the wildfly-dev mailing list