Steve, thank you for very valuable suggestions. Your block post is really great - I've read about environments in Heat documentation but didn't really understood them until now.
Usage of nested stacks may or may not solve my problem depending on what is possible to do within those stacks. Let me explain with simple example. As you probably know Murano uses Heat for all infrastructure-related operations. This means if some application from Catalog needs VM instance or any other type of OpenStack resource it creates it by inserting a snippet into user's Heat stack template and executes UPDATE STACK command. Now suppose there is WordPress application published in App Catalog. WordPress app manifest says that it requires installation of MySql. There is also another application in AppCatalog called GaleraMySql that is known to be compatible with MySql. In Murano Dashboard user creates new environment (this corresponds to Heat stack and is not related to what is called environment in Heat) and puts WordPress and GaleraMySql on it. Then he connects them so that GaleraMySql instance would be used in WordPress for MySql requirement. WordPress and GaleraMySql were developed by different vendors that are not aware of each others presence. But because of unfortunate combination of circumstances both vendors chose to merge exactly the same snippet into user's stack: "Resources": { "myHost": { "Type": "AWS::EC2::Instance", "Properties": { "InstanceType": "large", "ImageId": "someImage" } } } Then instead of 2 different VMs there would be only one. Things would be even worse if there was already resource "myHost" in user's stack. It is more than a name-collision problem as incorrectly written application manifest can cause any imaginable harm to the stack. The obvious solution would be to give each app dedicated nested stack and restrict it to that nested stack only. This would be a best solution. All I need is to have the same level of control on nested stack I have on outer stack - get stack template, modify and update them, access output attributes. Is it possible to retrieve nested stack template, modify it and populate it back to Heat? Another option would be create separate top-level stacks for each app. But in Murano applications themselves composed of smaller parts and in practice this would lead to creation of dozen stacks with most of them containing single resource. And then we would have to implement transaction update between several stacks, coordinated deletion etc. This would also be bad from a user's point of view at he doesn't expect to find long list of stacks he has no idea where they came from. My other options were on how nested stacks can be emulated on top of single stack by controlling which app created which resource and dynamically adjust resource names back and forth ("myHost" in example above) to some unique values in a way that is opaque to application On Fri, Feb 21, 2014 at 8:20 PM, Steven Hardy <sha...@redhat.com> wrote: > On Fri, Feb 21, 2014 at 06:37:27PM +0400, Stan Lagun wrote: > > Hi Everyone, > > > > While looking through Heat templates generation code in Murano I've > > realized it has a major design flaw: there is no isolation between Heat > > resources generated by different apps. > > Can you define the requirement for "isolation" in more detail? Are you > referring simply to namespace isolation, or do you need auth level > isolation, e.g something enforced via keystone? > > > Every app manifest can access and modify its environment stack in any > way. > > For example it can delete instances and other resources belonging to > other > > applications. This may be not so bad for Murano 0.4 but it becomes > critical > > for AppCatalog (0.5) as there is no trust relations between applications > > and it may be unacceptable that untrusted application can gain complete > > write access over the whole stack. > > All requests to Heat are scoped by tenant/project, so unless you enforce > resource-level access policy (which we sort-of started looking at with > OS::Heat::AccessPolicy), this is expected behavior. > > > There is also a problem of name collisions - resources generated by > > different applications may have the same names. This is especially > probable > > between resources generated by different instances of the same app. This > > also affects Parameters/Output of Heat templates as each application > > instance must generate unique names for them (and do not forget them > later > > as they are needed to read output results). > > A heirarchy of nested stacks, with each application defined as a separate > stack seems the obvious solution here. > > > I think we need at least to know how we going to solve it before 0.5 > > > > Here is possible directions i can think of: > > > > 1. Use nested Heat stacks. I'm not sure it solves naming collisions and > > that nested stacks can have their own Output > > I think it does, and yes all stacks can have their own outputs, including > nested stacks. > > Of particular interest to you may be the provider resource interface to > nested stacks, which will allow you to define (via a series of nested stack > templates) custom resource types defining each of your applications. > > See this old blog post, which will give you the providers/environments 101, > and contains links to most of the related heat docs: > > > http://hardysteven.blogspot.co.uk/2013/10/heat-providersenvironments-101-ive.html > > > 2. Control all stack template modifications and track which resource was > > created by which app. Give applications read-only access to resources > they > > don't own > > I think we need more info on the use-case here, but perhaps you can either > use the AccessPolicy resource, or we can work on defining an enhanced > version which meets your requirements. > > > 3. Auto-generate resource names. Auto-add prefixes/suffixes to > > resource/output etc names indicating owning app instance ID and remove > them > > upon read access from workflow so that generated names would be invisible > > to workflow. That would also mean all VMs would have generated names > > Heat already does this internally, we create unique names for all your > instances, unless you explicitly provide a name via the OS::Nova::Server > "name" property. > > It might help if you could provide a really simplified example of the > problem you are facing, or links to the real templates which we could > review and make suggestions? > > Steve > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Sincerely yours Stanislav (Stan) Lagun Senior Developer Mirantis 35b/3, Vorontsovskaya St. Moscow, Russia Skype: stanlagun www.mirantis.com sla...@mirantis.com
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev