5:47 p.m.
Hey,
we have said that we do no longer want the very strict resource types
that
we had in RHQ. We also identified that we need resource types to define
capabilities like metric types with their units etc. The newest addition
now
are operations and resource config.
I believe that for a certain kind of resource - e.g. "WildFly 8.2", that
"we" manage
we should not have the agent/feed supply the types, but Hawkular should
do so.
A user may still decide to extend that to supply its own data, but we
need to be
careful when dealing with it.
For security relevant things we can not let the client/feed just provide
resource
type data, as otherwise it is too easy to work around checks.
For WildFly there are a bunch of RBAC roles [1,2] that need to map to
what
we (will) have in Hawkular, which we may define as just what WildFly
has.
In fact that will be beneficial, as users will already know how WildFly
RBAC works
and can apply it to Hawkular. Plus if the user already has its org
members in
a central KeyCloak with role mappings, we can hook up to that instance
and get the mappings "for free".
Now for operations on WildFly (not only the classic RHQ-operations, but
also modifying
resource config), RBAC in WildFly is "hiding" whole sub-trees, but also
(iiuc) individual attributes
if you do not have the right role:
role=SuperUser:
[standalone@localhost:9990 /] cd /core-service=management/access
[standalone@localhost:9990 access] ls
audit authorization
role=Monitor:
[standalone@localhost:9990 /] cd /core-service=management/access
[standalone@localhost:9990 access] ls
audit
With enough privileges it is possible to see the access definitions
under /core-service=management/access=authorization/constraint=*
While it is possible for WildFly to obtain the security levels
(automatically)
from the WildFly Metadata, we still need to find a good way to add this
information
into our resource types, as the UI may need to react to them and not
show a
restart button for user that only has the Monitoring role. In theory we
could
just issue the operation with the user perms and see it fail on WildFly
side, but that
is certainly not user-friendly and thus not desired.
For other kinds of resource like Tomcat we probably need to encode the
roles
to the best of our knowledge.
Heiko
[1] http://blog.arungupta.me/role-based-access-control-wildfly-8/
[2] http://www.dzone.com/articles/configuring-rbac-jboss-eap-and
4:35 p.m.
On Tuesday, June 09, 2015 17:47:36 Heiko W.Rupp wrote:
Hey,
we have said that we do no longer want the very strict resource types
that
we had in RHQ. We also identified that we need resource types to define
capabilities like metric types with their units etc. The newest addition
now
are operations and resource config.
I believe that for a certain kind of resource - e.g. "WildFly 8.2", that
"we" manage
we should not have the agent/feed supply the types, but Hawkular should
do so.
A user may still decide to extend that to supply its own data, but we
need to be
careful when dealing with it.
This can be the first capability that the agents can declare. Even today,
nothing prevents anyone with enough permissions to create the resource types a
priori in the inventory. A glue component could listen on the bus and if it
sees a new tenant created, it can add the to-be-predefined resource and metric
types.
We already have a crude "proof-of-concept" of this way of doing things with
our "TemporaryHacks" class that adds the resource types needed for pinger
automagically. TemporaryHacks is in the REST API overlay and therefore has
direct access to the classloader and CDI "environment" of the REST API and
thus can do this using the low level API calls.
There is a question whether the glue component should be written in the same
way as TemporaryHacks - using low level API and circumventing any auth or if
it should be made a true remote component with the implication that it needs
to authenticate against inventory's REST API.
IMHO, we will need to figure out how auth will work in the distributed
scenario anyway - either by for example having some "trusted" interface which
would not be available externally but could be used by the distributed
hawkular components or maybe by just really requiring every component having
controlled access. I am for the latter even if it means more work because it
will provide the users with the ability to lock down the perms of individual
components which is good to minimize the impact in case of security breach in
one of the distributed components.
For security relevant things we can not let the client/feed just provide
resource
type data, as otherwise it is too easy to work around checks.
This could be another agent capability - to support SSO - the auth token would
flow all the way down from the browser to the agent which would execute the
operation as the user on the managed resource. Not sure how feasible this is
but it sounds nice ;)
For WildFly there are a bunch of RBAC roles [1,2] that need to map
to
what
we (will) have in Hawkular, which we may define as just what WildFly
has.
I think we do that - roles in accounts are the same as roles in Wildfly.
In fact that will be beneficial, as users will already know how
WildFly
RBAC works
and can apply it to Hawkular. Plus if the user already has its org
members in
a central KeyCloak with role mappings, we can hook up to that instance
and get the mappings "for free".
Now for operations on WildFly (not only the classic RHQ-operations, but
also modifying
resource config), RBAC in WildFly is "hiding" whole sub-trees, but also
(iiuc) individual attributes
if you do not have the right role:
role=SuperUser:
[standalone@localhost:9990 /] cd /core-service=management/access
[standalone@localhost:9990 access] ls
audit authorization
role=Monitor:
[standalone@localhost:9990 /] cd /core-service=management/access
[standalone@localhost:9990 access] ls
audit
With enough privileges it is possible to see the access definitions
under /core-service=management/access=authorization/constraint=*
While it is possible for WildFly to obtain the security levels
(automatically)
from the WildFly Metadata, we still need to find a good way to add this
information
into our resource types, as the UI may need to react to them and not
show a
restart button for user that only has the Monitoring role.
If these constraints are configurable then I think resource type is not the
right place to have them. IMHO they would better fit into the resources
themselves.
In theory we
could
just issue the operation with the user perms and see it fail on WildFly
side, but that
is certainly not user-friendly and thus not desired.
For other kinds of resource like Tomcat we probably need to encode the
roles
to the best of our knowledge.
Heiko
[1] http://blog.arungupta.me/role-based-access-control-wildfly-8/
[2] http://www.dzone.com/articles/configuring-rbac-jboss-eap-and
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
1:45 p.m.
Hey,
> I believe that for a certain kind of resource - e.g.
"WildFly 8.2",
> that
> "we" manage
> we should not have the agent/feed supply the types, but Hawkular
> should
> do so.
This can be the first capability that the agents can declare. Even
Which "this"? :)
nothing prevents anyone with enough permissions to create the
resource
types a
priori in the inventory. A glue component could listen on the bus and
if it
sees a new tenant created, it can add the to-be-predefined resource
and metric
types.
I would even go further and have that base WF8 type or whatever
be defined for the whole Hawkular system and not per tenant.
I.e. keeping that definition only once in the system.
If that is not possible, we can certainly have that listener install
it in each new tenant.
We already have a crude "proof-of-concept" of this way of
doing things
with
our "TemporaryHacks" class that adds the resource types needed for
Yes.
In fact for more complex scenarios we not only need inventory
be populated "server side", but the feeds (hawkular-monitor) also
need to be able to consume this.
There is a question whether the glue component should be written in
the same
way as TemporaryHacks - using low level API and circumventing any auth
or if
Yes. I think so.
hawkular components or maybe by just really requiring every component
having
controlled access. I am for the latter even if it means more work
because it
will provide the users with the ability to lock down the perms of
individual
components which is good to minimize the impact in case of security
breach in
one of the distributed components.
There is certainly a point in this. Could we actually just shut down
a certain api inside inventory (for a certain caller)?
>
> For security relevant things we can not let the client/feed just
> provide
> resource
> type data, as otherwise it is too easy to work around checks.
>
This could be another agent capability - to support SSO - the auth
token would
flow all the way down from the browser to the agent which would
execute the
operation as the user on the managed resource. Not sure how feasible
this is
but it sounds nice ;)
Again: two things. We must not allow a malicious feed (i.e. one where
an attacker has modified resource type definitions to say "every one
can execute") to be uploaded in the server and then prevent any
RBAC checks inside the server.
The other part which you mention is certainly SSO and "run as" for
operations in the agent, which will allow WF to do its own security
checking instead of relying that Hawkular has everything
correctly set up.
> While it is possible for WildFly to obtain the security levels
> (automatically)
> from the WildFly Metadata, we still need to find a good way to add
> this
> information
> into our resource types, as the UI may need to react to them and not
> show a
> restart button for user that only has the Monitoring role.
If these constraints are configurable then I think resource type is
not the
right place to have them. IMHO they would better fit into the
resources
themselves.
Right, if you see the combination of <role(user), WF_Operation> as
a runtime property of such a resource.
Certainly makes sense, but also makes things more complicated
and bloated.
That is probably the price for not running inside the target server
(like the WF-console).
3:39 p.m.
Hey,
I want to pick up this discussion again. Especially as we had a point in
time some days ago, where the agent code was supporting the "JDR"
operation, but only the Hawkular-server-internal one had it in its
meta-data, while a standalone one was missing it, which was
inconsistent.
I have attached a diagram, that I labeled "Fallback"-Graph. Basically a
type on the top, if it does not exist yet in inventory, the code should
be fall back to the definition below.
E.g. if a WildFly10 server definition does not yet exist, the one for
WF9 should be taken.
There are tricky places though:
- Product 2.1 may run on top of a Product 1, but also get some
additional capabilities from Infinispan 8
- Product 2 may be a Hawkular Server, but where some experimental
features are disabled. It will also run on top of Product 1, while the
Hawkular Server runs on top of WF9
- Product 1 may have a reduced feature set over WF 10
2:30 a.m.
And a major question still to be addressed is how and when does the agent get the type
metadata? Right now, it "owns" the metadata in standalone.xml. But it would be
nice for metadata to be downloaded from the hawkular server - if there is no metadata
available, then the agent can fallback and use its standalone.xml definitions.
I have not thought long about the metadata storage in hawkular and the interface the agent
should use to get it. We need to figure that out.
----- Original Message -----
Hey,
I want to pick up this discussion again. Especially as we had a point in
time some days ago, where the agent code was supporting the "JDR"
operation, but only the Hawkular-server-internal one had it in its
meta-data, while a standalone one was missing it, which was
inconsistent.
I have attached a diagram, that I labeled "Fallback"-Graph. Basically a
type on the top, if it does not exist yet in inventory, the code should
be fall back to the definition below.
E.g. if a WildFly10 server definition does not yet exist, the one for
WF9 should be taken.
There are tricky places though:
- Product 2.1 may run on top of a Product 1, but also get some
additional capabilities from Infinispan 8
- Product 2 may be a Hawkular Server, but where some experimental
features are disabled. It will also run on top of Product 1, while the
Hawkular Server runs on top of WF9
- Product 1 may have a reduced feature set over WF 10
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
8:56 a.m.
On 6 Oct 2015, at 2:30, John Mazzitelli wrote:
And a major question still to be addressed is how and when does the
agent get the type metadata? Right now, it "owns" the metadata in
standalone.xml. But it would be nice for metadata to be downloaded
from the hawkular
server - if there is no metadata available, then the
Yes, the agent should download it from the server
for all those types where we have explicit support
in clients like the UI.
agent can fallback and use its standalone.xml definitions.
What I did not explicitly mention in my previous mail and the graphic is
that an agent would most probably be able to define their own type
extensions on top of what is there.
So the base type for e.g. a WildFly 9 would come from us (=defined on
the Hawkular server, valid for all feeds of that type) and an then a
user-defined type could be loaded from the agent (and is then again
local to that feed).
1:58 p.m.
I disagree about the server being the authoritative source of metadata.
After all it is the feed that actually "sees" and can "touch" the
resource,
not the server.
What the server can (and will) do is to provide for quickly checking if
certain metadata are present in inventory. I preliminarily call it "metadata
packs" which will be a collection of resource, metric and operation types
together with a method to compute their collective hash. The feed then will
check if a pack with a given hash is present in the server and if there is,
then it's good to go.
If the hash does not match it means that some metadata, that the agent expects
(and requires) to correctly describe what it sees, needs to be changed on the
server (i.e. the agent uploads the changes it needs and forms a new pack if it
wants to).
Now for this to make sense, a metadata pack uploaded by one feed (or uploaded
by an operator prior to any feed connecting to the server or even pre-
installed with Hawkular) needs to be "globally visible" so that other feeds
don't have to upload their own version of it with the same hash - i.e. pack
with the same hash should be defined only once in the server.
Why do it this way?
Wildfly agent speaks DMR and can therefore support new functionality/resource
types in the wildfly server without any new code needing to be written. I.e.
the wildfly agent can DEDUCE the metadata directly from what it sees in DMR,
it doesn't need to be told what to see. If it was told, it would also have to
reconcile the differences (i.e. an op is defined on hawk server, but the
underlying wfly doesn't declare it) - i.e. what Heiko is talking about -
fallbacks, compositions of product features, etc.
IMHO, if the agent stays the source of metadata and has the ability to quickly
check that all it needs is already "up with the hawk" then that's a simpler
solution that will be in the end easier on the feeds.
Note that these packs essentially don't need to be user-visible or amendable
"things" - primarily because it would be generally difficult to call them
user-friendly names.
For example, if the agent required (Wfly 10 + product A) it can check for the
presence of the types in 2 ways:
1) 2 calls to inventory checking if "Wfly 10" pack is present and if
"product
A" pack is present) or
2) 1 call to check if "wfly10 + product A" pack is present
If we throw into the mix the "minus 2 components from product A" possibility
as outlined by Heiko, then it becomes quite complex to call it a name or even
"explain" to the user, what this is. But it can still be a metadata pack with
a single hash (the common types would now be members of all 3 packs) and the
agent can still check for its presence with 1 call.
On Tuesday, October 06, 2015 08:56:29 Heiko W.Rupp wrote:
On 6 Oct 2015, at 2:30, John Mazzitelli wrote:
> And a major question still to be addressed is how and when does the
> agent get the type metadata? Right now, it "owns" the metadata in
> standalone.xml. But it would be nice for metadata to be downloaded
> from the hawkular
> server - if there is no metadata available, then the
Yes, the agent should download it from the server
for all those types where we have explicit support
in clients like the UI.
> agent can fallback and use its standalone.xml definitions.
What I did not explicitly mention in my previous mail and the graphic is
that an agent would most probably be able to define their own type
extensions on top of what is there.
So the base type for e.g. a WildFly 9 would come from us (=defined on
the Hawkular server, valid for all feeds of that type) and an then a
user-defined type could be loaded from the agent (and is then again
local to that feed).
_______________________________________________
hawkular-dev mailing list
hawkular-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/hawkular-dev
9:36 a.m.
On 9 Oct 2015, at 13:58, Lukas Krejci wrote:
I disagree about the server being the authoritative source of
metadata.
After all it is the feed that actually "sees" and can "touch" the
resource,
not the server.
This is complicated topic with no easy answer.
On one side we need to avoid storing the same
stuff over and over again. Take an Infinispan
cluster with 1000 nodes - here we do not want
to have 1000 times the same metadata stored
in inventory, but only one copy that all those
1000 nodes share.
On the other hand, we as Hawkular team do not
want to maintain the metadata of Infinispan.
Infinispan should indeed deliver their metadata
in some way. That could be like they provide that
on the 1st connecting node and then all others
share that metadata.
Also as Infinispan runs on top of WildFly, (but
exchanges some subsystems with their version),
and we need that information so that e.g. the
UI can show the stuff for WildFly unless it is
explicitly enabled/disabled for Infinispan.
The same applies for Hawkular server, which
also runs on top of WildFly.
What the server can (and will) do is to provide for quickly checking
if
certain metadata are present in inventory. I preliminarily call it
"metadata
packs" which will be a collection of resource, metric and operation
types
together with a method to compute their collective hash. The feed then
will
check if a pack with a given hash is present in the server and if
there is,
then it's good to go.
If the hash does not match it means that some metadata, that the agent
expects
(and requires) to correctly describe what it sees, needs to be changed
on the
server (i.e. the agent uploads the changes it needs and forms a new
pack if it
wants to).
Now for this to make sense, a metadata pack uploaded by one feed (or
uploaded
by an operator prior to any feed connecting to the server or even pre-
installed with Hawkular) needs to be "globally visible" so that other
feeds
don't have to upload their own version of it with the same hash - i.e.
pack
with the same hash should be defined only once in the server.
That certainly makes sense and reflects what I wrote above.
IMHO, if the agent stays the source of metadata and has the ability
to
quickly
check that all it needs is already "up with the hawk" then that's a
simpler
solution that will be in the end easier on the feeds.
This is certainly a good approach. Where I am concerned,
and you sort of mention that in the next paragraph
is users messing with the resource types so that they
get into an indeterministic state.
Note that these packs essentially don't need to be user-visible
or
amendable
"things" - primarily because it would be generally difficult to call
them
user-friendly names.
Heiko
2:18 p.m.
Hey,
I just had a good discussion with Lukas in the STR office around
resource types, metadata, syncing and so on. No conclusion yet,
but a much better common understanding. Lukas' idea of
metadata packs looks like a promising way forward.
We did some drawing on those "whiteboard" glass walls in the
office. You can find those two at
https://www.dropbox.com/s/oktwsuk1mt4g3fa/IMG_20151020_134356.jpg?dl=0
and
https://www.dropbox.com/s/lhlrekprs5xyf2f/IMG_20151020_134406.jpg?dl=0
Heiko
2:49 p.m.
Hey,
I wrote:
The quality of the other photo has room for improvement, so here it is
with some
better quality:
https://www.dropbox.com/s/i7clakhbik4zdky/IMG_20151020_144524.jpg?dl=0
3104
days inactive
3237
days old
9 comments
3 participants
participants (3)
-
Heiko W.Rupp -
John Mazzitelli -
Lukas Krejci