Re: [wildfly-dev] WFLY-2422 or simplifying the remote outbound connection configuration for server to server communication

Tuesday, 14 July 2015

I belive that we need to deal with two problems:
1. Moving away configuration from application developer to server administrator.
2. Simplify the configuration so that most common scenarios can be consise and easy to
understand.  On the other hand we must assure that all valid use scenarios are still
supported. 

My previous refactor dealt with the first point. Concept of profile was introduced which
groups remote-outbound-connections and enables application developer to specify only the
name of the profile. 
As Wolf mentioned the further things may to be improved: replication of configuration,
cluster enabling and ability to use multiple profiles.

Connection groups

Regarding cluster configuration I believe that cluster properties should be moved from
ejb-client-descriptor to remoting subsystem definition. Firstly, we will remove another
part of server specific 
configuration from application deployer to server administrator. Secondly, it will allow
to perform further simplifing configuration refactor.

Regarding the second point, I believe that the problem of replication should not be
handled using profiles - we should have a different configuration element for that. 

One possible solution that we discussed with Wolf was to create a
remote-outbound-connection-group element which will gather together all r-o-cs that share
the same configuration.
Instead of:

<remote-outbound-connection name="remote-ejb-connection-1"
outbound-socket-binding-ref="remote-ejb-1" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting">
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
</remote-outbound-connection>
<remote-outbound-connection name="remote-ejb-connection-2"
outbound-socket-binding-ref="remote-ejb-2" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting">
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
</remote-outbound-connection>
<remote-outbound-connection name="remote-ejb-connection-3"
outbound-socket-binding-ref="remote-ejb-3" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting">
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
</remote-outbound-connection>

we would have:

<remote-outbound-connection-group username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting"> 
    <connection outbound-socket-binding-ref="remote-ejb-1"/>
    <connection outbound-socket-binding-ref="remote-ejb-2"/>
    <connection outbound-socket-binding-ref="remote-ejb-3"/>
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
<remote-outbound-connection-group/>

If user need to specify different configurations for different connections then he can
still do it directly - that is create number of remote-outbound-connection not nested in
any group.

What's more the group may be used to group connections of one cluster. If we decide to
group nodes from the cluster together then it would require that the same properties are
used when connecting to 
each node in the cluster. Let's suppose that those connections are three possible
points of entry to a cluster called "ejb-cluster". Currently application
deployer has to specify the following 
configuration:

<cluster name="ejb">
    <connection-creation-options>
        <property name="org.xnio.Options.SSL_ENABLED" value="false"
/>
        <property name="org.xnio.Options.SASL_POLICY_NOANONYMOUS"
value="false" />
    </connection-creation-options>
</cluster>

According to Wolf it is a good practice for all nodes in the cluster to have the same
configuration. If we can make an assumption than only such configuration is supported then
we can use 
remote-outbound-connection-group to configure cluster as well.

An example configuration may be: 

<remote-outbound-connection-group username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting"
cluster="ejb-cluster">
(...)
<remote-outbound-connection-group/>

Profiles

Profile is an entity that can be understood by application deployer without need of
knowing the configuration details. It would contain r-o-c and r-o-c groups (which can
possibly represent a cluster).
Currently user can address only one profile from jboss-ejb-client descriptor. This should
be changed too - users should be able to specify many profiles in jboss-ejb-client.
Profiles can be combinded 
in different ways and we were also discussing the possibility to introduce dependencies
between profiles, but it needs to be discussed wheter there are use cases that require
introduction of such 
design which introduces additional complexity. In proposed design application deployers
can combine different profiles in their ejb-client-descriptors.

Sample of proposed configuration:

Remoting subsystem:

<remote-outbound-connection-group name="group" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting"> 
    <connection outbound-socket-binding-ref="remote-ejb-1"/>
    <connection outbound-socket-binding-ref="remote-ejb-2"/>
    <connection outbound-socket-binding-ref="remote-ejb-3"/>
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
<remote-outbound-connection-group/>

<remote-outbound-connection-group name="cluster"
username="quickuser" security-realm="ejb-security-realm"
protocol="http-remoting" cluster="ejb"> 
    <connection outbound-socket-binding-ref="remote-ejb-cluster-1"/>
    <connection outbound-socket-binding-ref="remote-ejb-cluster-2"/>
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
<remote-outbound-connection-group/>

<remote-outbound-connection name="connection1"
outbound-socket-binding-ref="remote-ejb-4" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting">
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="false"
/>
        <property name="SSL_ENABLED" value="false" />
    </properties>
</remote-outbound-connection>
<remote-outbound-connection name="connection2"
outbound-socket-binding-ref="remote-ejb-5" username="quickuser"
security-realm="ejb-security-realm" protocol="http-remoting">
    <properties>
        <property name="SASL_POLICY_NOANONYMOUS" value="true"
/>
        <property name="SSL_ENABLED" value="true" />
    </properties>
</remote-outbound-connection>

<profile name="application A">
    <outbound-connection-group-ref="group"/>
</profile>

<profile name="application B">
    <outbound-connection-group-ref="cluster"/>
</profile>

<profile name="application C">
    <outbound-connection--ref="connection1"/>
    <outbound-connection--ref="connection2"/>
</profile>

Sample client configs:

<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.3">
    <client-context>
        <profile name="application A" />
        <profile name="application B" />
    </client-context>
</jboss-ejb-client>

-- 
Tomasz Adamski
Software Engineer
JBoss by Red Hat 

----- Oryginalna wiadomość -----
...
 Od: "Wolf-Dieter Fink" <wfink(a)redhat.com&gt;
 Do: "tadam >> Tomasz Adamski" <tadamski(a)redhat.com&gt;, "WildFly
Dev" <wildfly-dev(a)lists.jboss.org&gt;
 DW: "Paul Ferraro" <paul.ferraro(a)redhat.com&gt;, "David M. Lloyd"
<david.lloyd(a)redhat.com&gt;, "Brad Maxwell"
 <bmaxwell(a)redhat.com&gt;, "Dennis Reed" <dereed(a)redhat.com&gt;,
"Shay Matasaro" <smatasar(a)redhat.com&gt;
 Wysłane: poniedziałek, 9 marzec 2015 15:25:32
 Temat: WFLY-2422 or  simplifying the remote outbound connection configuration for server
to server communication

 I start a request for simplifying the configuration for "in EE
 application" clients and get rid of extra cluster configuration and
 repeat properties many times.
 Also the client should not need to have knowledge about the server
 topology, there is no need to know how many servers there are or whether
 they are clustered or not.

 Starting point in EAP6/WF8 is a application configuration like this:

https://github.com/wildfly/quickstart/blob/master/ejb-multi-server/app-ma...

 and a server side configuration like this:
              <subsystem xmlns="urn:jboss:domain:remoting:3.0">
                  <endpoint worker="default"/>
                  <http-connector name="http-remoting-connector"
 connector-ref="default" security-realm="ApplicationRealm"/>
                  <outbound-connections>
                      <remote-outbound-connection
 name="remote-ejb-connection-1"
 outbound-socket-binding-ref="remote-ejb-1" username="quickuser1"
 security-realm="ejb-security-realm-1" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
                      </remote-outbound-connection>
                      <remote-outbound-connection
 name="remote-ejb-connection-2"
 outbound-socket-binding-ref="remote-ejb-2" username="quickuser2"
 security-realm="ejb-security-realm-2" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
                      </remote-outbound-connection>
                  </outbound-connections>
              </subsystem>

 Tomasz did some refactoring (WF9) to use a profile from the application
 perspective. The configuration is like this:

 jboss-ejb-client.xml
      <client-context>
          <profile name="main-app"/>
      </client-context>

 server profile:
                  <remote connector-ref="http-remoting-connector"
 thread-pool-name="default">
                      <profiles>
                          <profile name="main-app">
                              <remoting-ejb-receiver name="AppOneA"
 outbound-connection-ref="remote-ejb-connection-1"/>
                              <remoting-ejb-receiver name="AppTwoA"
 outbound-connection-ref="remote-ejb-connection-2"/>
                          </profile>
                      </profiles>
                  </remote>
 ....
              <subsystem xmlns="urn:jboss:domain:remoting:3.0">
                  <outbound-connections>
                      <remote-outbound-connection
 name="remote-ejb-connection-1"
 outbound-socket-binding-ref="remote-ejb-1" username="quickuser1"
 security-realm="ejb-security-realm-1" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
                      </remote-outbound-connection>
                      <remote-outbound-connection
 name="remote-ejb-connection-2"
 outbound-socket-binding-ref="remote-ejb-2" username="quickuser2"
 security-realm="ejb-security-realm-2" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
                      </remote-outbound-connection>
                  </outbound-connections>
              </subsystem>

 With the current implementation there are some issues or
 concerns/enhancements
 - profile does not work with clusters
 - not possible to have multiple profiles
 - the properties/user must be still repeated

  From my point of view
 - a cluster need to have the same property configuration, also different
 users make no sense. Might work, but at least the cluster view will use
 the same user
 - a similar group of servers for the same application should not have
 different properties/users as this will be error prone
 - configuration should be as small and intuitive as possible

 My initial idea was to have a jboss-ejb-client.xml which reference
 'applications' to connect, that is similar to profiles
 The server side as followed (don't care about the exact XML elements or
 names)

              <subsystem xmlns="urn:jboss:domain:remoting:3.0">
                  <outbound-connections>
                      <profile name="App1" username="quickuser1"
 security-realm="ejb-security-realm-1" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
 <outbound-sockets>remote-ejb-1,remote-ejb2</outbound-sockets> <!--
 repeated elements seems better -->
                      </remote-outbound-connection>
                      <remote-outbound-connection
 name="remote-ejb-connection-X"
 outbound-socket-binding-ref="remote-ejb-X" username="quickuser2"
 security-realm="ejb-security-realm-2" protocol="http-remoting">
                          <properties>
                              <property name="SASL_POLICY_NOANONYMOUS"
 value="false"/>
                              <property name="SSL_ENABLED"
value="false"/>
                          </properties>
                      </remote-outbound-connection>
                  </outbound-connections>
              </subsystem>

 In this case the profile use the user/security and properties for all
 connections and the cluster as well. In this it is necessary to have the
 same configuration for all the servers in the profile-bunch.
 Another option I thought about is to use the user/properties in
 <profile> as default and have the possibility to use a inner element
 remote-outbound-connection, or a reference to remote-outbound-connection
 which can override these, but I'm not sure whether this is needed.

 We (Tomasz Adamski and me) had a discussion about this and, technically
 there is no problem with each approach.

 But ...

 I know that all the ejb-client stuff is subject to change and to prevent
 from incompatible changes which are changed in every version
 and from unnecessary work if the code will be changed before it will be
 used at all
 I think it will need to be discussed with others because of this.

 cheers
 Wolf

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [wildfly-dev] WFLY-2422 or simplifying the remote outbound connection configuration for server to server communication