Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should the callback plugin be talking directly to the database? #106

Open
larsks opened this issue Jun 7, 2016 · 4 comments
Open

Should the callback plugin be talking directly to the database? #106

larsks opened this issue Jun 7, 2016 · 4 comments

Comments

@larsks
Copy link
Collaborator

larsks commented Jun 7, 2016

Should the callback plugin be connecting directly to the database? That means that any machine that runs Ansible needs to have direct read/write access to the database server. I can see this making a lot of people uncomfortable.

Should ARA have a REST API that can be used by the callback plugin in lieu of direct database access?
@dmsimard
Copy link
Owner

dmsimard commented Jun 8, 2016

Deleted my two previous unrelevant comments. This is a summary of what I think:

  • Yes, it could be a problem in some contexts that the callback, the CLI (or even the web interface? Although there are no deletion features in it, there could be) has write access to the database
  • I am for a HTTP REST API but against it being required to use the callback. It wouldn't make sense to require the REST API to run (even from the development web server) to be able to run Ansible.

Let's take for example nova, there's:

  • nova (server, database, methods and api endpoint components)
  • python-novaclient (client library that talks to a nova api server)
  • python-openstackclient (CLI interface that wraps around novaclient)
  • horizon (web interface that wraps around novaclient)

Does a segmentation like that make sense for ARA ? I think so. Right now we have everything talking to the database. We could probably have an internal API and then have everything use that internal API instead. The (eventual) HTTP REST API could just almost passthrough to the internal API. There could be a toggle between internal and external api if people want to use REST instead, but then it brings the whole concept of authentication and stuff I didn't want to have to worry about.

I know there's a lot of work hidden behind something like that but it's probably something we'll need to do one day or another ...

@larsks
Copy link
Collaborator Author

larsks commented Jun 8, 2016

The problem with the nova analogy, of course, is that all of those tools - novaclient, opentackclient, horizon, etc. -- expect the Nova API server to be running, and communicate only via the REST API rather than talking to the database directly...which sounds like the situation you are arguing against.

I think we're going to need to go that way eventually, even for the callback.

@Malet
Copy link

Malet commented Jun 12, 2017

Agree with @larsks on this one, would definitely be cleaner to talk to the API, also allows us to use basicAuth/TLS/HMAC for authentication with little extra effort.

@dmsimard
Copy link
Owner

@Malet a proper API and segmentation of the different components (client/api/server) is still in the roadmap but it will be quite a significant amount of work. It's probably one of the next large feature set we'll be working on as ARA has reached a certain level of maturity at this point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@larsks @Malet @dmsimard