1 / 15

GOCDB A Site/Service Registry and CMDB

GOCDB A Site/Service Registry and CMDB. david.meredith@stfc.ac.k. STFC Daresbury Labs, Warrington, UK. https://wiki.egi.eu/wiki/GOCDB. A Configuration Management Database (CMBD) for e-Infrastructures. Portal + REST API to register + manage domain objects in an e- Infrstr :

sburbank
Télécharger la présentation

GOCDB A Site/Service Registry and CMDB

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GOCDB A Site/Service Registry and CMDB david.meredith@stfc.ac.k • STFC Daresbury Labs, Warrington, UK

  2. https://wiki.egi.eu/wiki/GOCDB Insert footer here

  3. A Configuration Management Database (CMBD) for e-Infrastructures • Portal+ REST API to register + manage domain objects in an e-Infrstr: • Projects, NGIs, Sites, Services/Endpoints/Types, ServiceGroups, Downtimes, Users, Roles, Contacts • Static attributes, manual input + validation, mandatory/optional • Multi-tenant (1 or more projects hosted in same instance) • Comprehensive Role based permissions model • Enforces a number of Business Rules and policies • Extensible; add custom (Key=Value) pairs to domain objects • Fine grained resource filtering/grouping using tagging • Defines what resources should be present, rather than live/current status of services/infrstr • Bootstraps other systems: Top BDII, Monitoring, Ops portal, Accounting, ACLs. • GUI is legacy, could be modernised, but the backend Domain-Model is pretty solid/extensible. Insert footer here

  4. Domain Model Comparison GLUE2 (subset) GOCDB (subset) (NGI) GOCDB Insert footer here

  5. Projects/Sites/Services/ServiceGroups EGI EGI EUDAT EUDAT 5 Insert footer here

  6. Group Management, Roles, Rules • Projects, NGIs, Sites + ServiceGroups self-manage their own users: • Users request Roles over objects • Users with existing roles Grant, Deny, Revoke requests R • Roles enable fine-grained Actions over objects • Enforces a variety of business rules: • ‘NGI’ or ‘Project’ level role needed to update the CertificationStatus of a child Site (e.g. suspend site) • Prevents sites self-certifying • Many others… Insert footer here

  7. Resource Grouping With Scope Tags • Resource owners tag their NGIs, Sites, Services, ServiceGroups with one or more scope tags • Tags used to define resource categories/groups without duplicating • Single resource can be tagged multiple times • Maintains integrity of information across different groups, projects, etc… • E.g. EGI filters resources to include only ‘EGI’ tagged resources, new tags can be added as required Service A Service B EGI EGI TEST TEST CLIP Filter using ‘scope’ and ‘scope_match’ (Portal+API) Scope Tags Insert footer here Insert footer here

  8. Extension Properties: Add Custom (Key=Value) Pairs toNGIs, Sites, Services, Endpoints, ServiceGroups Sample Glue attributes as extension properties on a Service Sample Glue attributes as extension properties on a ServiceEndpoint Insert footer here

  9. REST style API to Query in XML • API is read only • Also published on failover server (goc.dl.ac.uk, sync’d hourly) • Queries are filtered using URL parameters • Proprietary XML • Similar to GLUE2 XML: flat rather than deeply nested XML docs • Could render same data in GLUE2 XML/JSON Extensions follow GLUE2 XML .... 9 Insert footer here

  10. Current Roadmap • Federated Identity Access (SAML/Shib/IdP) • Alternative to x509 to authenticate users • Done; testing underway on gocdb-test • Improve Role Model for multi-tenant • Projects hosted in same instance can define different Roles/rules per-project • Done; testing to start soon • Enhance the Change Logging (EUDAT) • Record every role request, denial, acceptance, revocation, deletion (Done, released v5.4) • Record every change to a domain object (who did what, when, pre-post diff). TODO Coming soon: v5.5 Insert footer here

  11. Future Roadmap (under review)To Consider: Move GOCDB into the InfoSys space? Insert footer here

  12. Candidate Items/ Future Roadmap • Extend GOC’s data model for InfoSys • Add new attributes to existing objects (~trivial) • Add new object types to domain model e.g. GLUE2 Share (~doable) • Render GOC’s data in GLUE2 XML/JSON (~doable) • Browse/upload (key=value) .properties file for adding/updating a bulk of attributes defined on a Site, Service, Endpoint (approved) • EUDAT: publish K=V template files for their community (or upload xml/json?) • Approved, see RT: https://rt.egi.eu/rt/Ticket/Display.html?id=9427 • A REST service to POST .props files / CRUD operations (~doable) • Would enable client-scripting for adding/updating dynamic attributes • Impt: Could use existing Role/Authentication model • Existing user registers a new GOCDB account using a host cert • Use the host cert to request Roles over target sites/services • Existing user grants role requests • Use host cert to authenticate the script on HTTP POST/PUT • This account can be self-managed as normal; revoke roles, delete… one time Insert footer here

  13. Summary Now: • GOCDB currently supports static attributes + manual input/editing • Role based permissions model enforces a range of business rules/policy • Records what resources should be available, e.g. for bootstrapping BDIIs • Data model is extensible via custom (Key=Val) pairs Future: Consider moving GOCDB more into the InfoSys space ? • Addition of a REST services for CRUD + dynamic attributes has been discussed in the past, but was not explored further… • Time to re-consider? • Happy to record new RT if requested by TF • Would need some further-investigation, load-testing etc.. Misc/FYI • EUDAT funded new dev on 6mth project + EGI-Engage funding confirmed • I’ll be away for next 2 weeks, but will re-engage after hols Insert footer here

  14. Extra slides Insert footer here

  15. Resource Filtering using Scope-Tags + Custom Extension Properties Resources can be tagged using one or more Scope Tags Allows filtering in Portal and API Used to declare project affiliations + resource grouping/categories No duplication of information Filter using a combination of scope tags and custom properties • Filtering by scope Tags in API • get_site&scope=EGI,CLIP&scope_match=any|all • Filtering by custom Extension Properties (Key=value) pairs in API • get_service&extensions=(VO=)AND(VO2=bar)NOT(V04=) Insert footer here

More Related