Return-Path: X-Original-To: apmail-cloudstack-dev-archive@www.apache.org Delivered-To: apmail-cloudstack-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 66DB6FBDD for ; Fri, 14 Nov 2014 19:08:54 +0000 (UTC) Received: (qmail 96306 invoked by uid 500); 14 Nov 2014 19:08:53 -0000 Delivered-To: apmail-cloudstack-dev-archive@cloudstack.apache.org Received: (qmail 96254 invoked by uid 500); 14 Nov 2014 19:08:53 -0000 Mailing-List: contact dev-help@cloudstack.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cloudstack.apache.org Delivered-To: mailing list dev@cloudstack.apache.org Received: (qmail 96242 invoked by uid 99); 14 Nov 2014 19:08:53 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2014 19:08:53 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mike.tutkowski@solidfire.com designates 209.85.214.178 as permitted sender) Received: from [209.85.214.178] (HELO mail-ob0-f178.google.com) (209.85.214.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 14 Nov 2014 19:08:49 +0000 Received: by mail-ob0-f178.google.com with SMTP id vb8so13188601obc.9 for ; Fri, 14 Nov 2014 11:08:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=7K6n8lzrPN4k2LX3Fbq/svbUh+8m9v45Ro6esQ/d4cI=; b=l3jvYD7/DnmSPXl+EOowzcFjA5ILVMA26HjrKQS/6Oj00yUu0RTXzsBTCE60kMS3ka ajCSjNFY4Q7Cc6HPyrChSwyqtZgVmBxrrNRQWn7l27GBZMkPzxZ90jFbbkeAjRlvz1xu GLrarN3HKWNCtNXPNsK5e4eWhh5gbaJW0tEOLW4Vred4sTXoZSJYP+ST9gJoyZH5rasg 8IYyZvnSlkDDYrU3xXLtq8e8ztBUOK6pLRngeXrvLssRqNs1jJC6tBKxB1y5sIlMKXAa EwRhC0BRZfHbSKDcwDSkwFsYtvaUHxocV5AxLtUp1lxK0vOy3UAB3RZxBBy4ssdzyjK1 ri0A== X-Gm-Message-State: ALoCoQmlkYH+9wQtnq7eCGJ+S0Kd6Oei5SsFCJTno9BMo4Q8+BYJOwrmLo4s6ddHH/pL4dzf2fFZ MIME-Version: 1.0 X-Received: by 10.60.54.74 with SMTP id h10mr9461024oep.9.1415992109043; Fri, 14 Nov 2014 11:08:29 -0800 (PST) Received: by 10.182.24.106 with HTTP; Fri, 14 Nov 2014 11:08:28 -0800 (PST) In-Reply-To: References: <0728A9FF-2856-493F-8777-B6E2355EB999@shapeblue.com> Date: Fri, 14 Nov 2014 12:08:28 -0700 Message-ID: Subject: Re: [DISCUSS] Major business logic refactoring: Move from Account to UserAccount From: Mike Tutkowski To: "dev@cloudstack.apache.org" Content-Type: multipart/alternative; boundary=089e013a1ce8aa2e3a0507d65af0 X-Virus-Checked: Checked by ClamAV on apache.org --089e013a1ce8aa2e3a0507d65af0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Yeah, I assume you would use the column ID of the user table (as opposed to the UUID of the given user), right? On Fri, Nov 14, 2014 at 12:04 PM, Rohit Yadav wrote: > Min, you=E2=80=99re right I don=E2=80=99t propose to change the IAM model= just some > additional data that notes who *actually* owns the resource (VM, volume, > etc.) in an account which can be useful for sysadmins to list resource by > userid etc. > > I can understand the hesitation and the side effects such a refactoring > can produce, so I think the best would be to add user_id (uuid) columns a= nd > change only the API/query layer. > > Mike: I don=E2=80=99t propose to use user name but uuids so they are uniq= ue. My > concern was adding user_id column to say vm_instance table denormalizes > data as that table already has domain_id and account_id in it and as Raja= ni > suggested earlier those two are not needed as using user_id one can find > account_id and domain_id. I guess, the easiest way would be to just add a= n > additional user_id column. > > Cheers. > > > On 15-Nov-2014, at 12:14 am, Min Chen wrote: > > > > Rohit, If I understood you correctly, the user_id column is only used f= or > > listing resources to indicate which user is the real owner/creator of t= he > > resource, but you don't want to change CloudStack account-level > permission > > model to user-level permission model, right? If so, the change will be > > smaller, maybe some Response classes, which should not involve too many > > business layer change. I will hesitate to really change CloudStack IAM > > model though. > > > > Thanks > > -min > > > > On 11/14/14 10:35 AM, "Rohit Yadav" wrote: > > > >> Hi Min, > >> > >> Good to know. What do you propose we do moving forward. Do a refactori= ng > >> run to fix it or leave it as it is and perhaps add user_id columns to > few > >> resources that are more useful for sysadmins such as vm_instance table= . > >> > >>> On 14-Nov-2014, at 11:49 pm, Min Chen wrote: > >>> > >>> Rohit, > >>> > >>> I think that the historic reason for this is that CloudStack is only > >>> doing IAM access permission check on account level, user is only logi= n > >>> authentication purpose. That is why we will see that all our CloudSta= ck > >>> resource owner field is an account, since that is the only informatio= n > >>> used for controlling whether you have some permissions to the resourc= e. > >>> Thanks > >>> -min > >>> > >>> On 11/14/14 12:53 AM, "Rohit Yadav" wrote= : > >>> > >>>> Hi, > >>>> > >>>> All CloudStack DB entities (VM, storage, network etc.) have an owner > >>>> field which is mostly the account. An account can have multiple user= s > >>>> so > >>>> just by looking at the resource (say VM) it=C2=B9s not possible to m= ake out > >>>> which user in the account (owner or account_id field in the db row o= f > >>>> the > >>>> entity) created it. CloudStack users may want to know this informati= on > >>>> for at least entities such as VMs and Volumes. > >>>> > >>>> Historically, why is the account owner of an entity and not a user? = If > >>>> user were the owner, we could easily get the account Id using the us= er > >>>> Id. > >>>> > >>>> One solution to fix this problem is to refactor and replace Account > >>>> (interface) usage with UserAccount (interface) usage, fix the DAO an= d > >>>> resource layer, and add columns in the schema. This gets us all the > >>>> information we need to determine domainId, AccountId and Id (the use= r > >>>> ID). Should we do it for all entities or just keep status quo (use > >>>> account as owners), or just fix it on-demand basis for specific > >>>> entities > >>>> such as for user VMs [1]. > >>>> > >>>> [1] https://issues.apache.org/jira/browse/CLOUDSTACK-7908 > >>>> > >>>> Regards, > >>>> Rohit Yadav > >>>> Software Architect, ShapeBlue > >>>> M. +91 88 262 30892 | rohit.yadav@shapeblue.com > >>>> Blog: bhaisaab.org | Twitter: @_bhaisaab > >>>> > >>>> > >>>> > >>>> Find out more about ShapeBlue and our range of CloudStack related > >>>> services > >>>> > >>>> IaaS Cloud Design & > >>>> Build > >>>> CSForge =C2=AD rapid IaaS deployment > >>>> framework > >>>> CloudStack Consulting > >>>> CloudStack Software > >>>> Engineering > >>>> CloudStack Infrastructure > >>>> Support > >>>> CloudStack Bootcamp Training > >>>> Courses > >>>> > >>>> This email and any attachments to it may be confidential and are > >>>> intended > >>>> solely for the use of the individual to whom it is addressed. Any > views > >>>> or opinions expressed are solely those of the author and do not > >>>> necessarily represent those of Shape Blue Ltd or related companies. = If > >>>> you are not the intended recipient of this email, you must neither > take > >>>> any action based upon its contents, nor copy or show it to anyone. > >>>> Please > >>>> contact the sender if you believe you have received this email in > >>>> error. > >>>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBl= ue > >>>> Services India LLP is a company incorporated in India and is operate= d > >>>> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltd= a > >>>> is > >>>> a company incorporated in Brasil and is operated under license from > >>>> Shape > >>>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republ= ic > >>>> of > >>>> South Africa and is traded under license from Shape Blue Ltd. > ShapeBlue > >>>> is a registered trademark. > >>> > >> > >> Regards, > >> Rohit Yadav > >> Software Architect, ShapeBlue > >> M. +91 88 262 30892 | rohit.yadav@shapeblue.com > >> Blog: bhaisaab.org | Twitter: @_bhaisaab > >> > >> > >> > >> Find out more about ShapeBlue and our range of CloudStack related > services > >> > >> IaaS Cloud Design & > >> Build > >> CSForge =C2=AD rapid IaaS deployment framework > > >> CloudStack Consulting > >> CloudStack Software > >> Engineering > >> CloudStack Infrastructure > >> Support > >> CloudStack Bootcamp Training > >> Courses > >> > >> This email and any attachments to it may be confidential and are > intended > >> solely for the use of the individual to whom it is addressed. Any view= s > >> or opinions expressed are solely those of the author and do not > >> necessarily represent those of Shape Blue Ltd or related companies. If > >> you are not the intended recipient of this email, you must neither tak= e > >> any action based upon its contents, nor copy or show it to anyone. > Please > >> contact the sender if you believe you have received this email in erro= r. > >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > >> Services India LLP is a company incorporated in India and is operated > >> under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda = is > >> a company incorporated in Brasil and is operated under license from > Shape > >> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic > of > >> South Africa and is traded under license from Shape Blue Ltd. ShapeBlu= e > >> is a registered trademark. > > > > Regards, > Rohit Yadav > Software Architect, ShapeBlue > M. +91 88 262 30892 | rohit.yadav@shapeblue.com > Blog: bhaisaab.org | Twitter: @_bhaisaab > > > > Find out more about ShapeBlue and our range of CloudStack related service= s > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge =E2=80=93 rapid IaaS deployment framework > CloudStack Consulting > CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views o= r > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not th= e > intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the send= er > if you believe you have received this email in error. Shape Blue Ltd is a > company incorporated in England & Wales. ShapeBlue Services India LLP is = a > company incorporated in India and is operated under license from Shape Bl= ue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Bras= il > and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd i= s > a company registered by The Republic of South Africa and is traded under > license from Shape Blue Ltd. ShapeBlue is a registered trademark. > --=20 *Mike Tutkowski* *Senior CloudStack Developer, SolidFire Inc.* e: mike.tutkowski@solidfire.com o: 303.746.7302 Advancing the way the world uses the cloud *=E2=84=A2* --089e013a1ce8aa2e3a0507d65af0--