26c5e79070
This patch change the lock api url from
/instances/{instance_uuid}/lock
to /instances/{instance_uuid}/states/lock. It`s more readable.
Change-Id: I8d2fea99a4041eb4160f34582868c24b99035797
190 lines
4.3 KiB
ReStructuredText
190 lines
4.3 KiB
ReStructuredText
..
|
|
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
|
License.
|
|
|
|
http://creativecommons.org/licenses/by/3.0/legalcode
|
|
|
|
=================================================
|
|
Add lock API for changing instance to lock/unlock
|
|
=================================================
|
|
|
|
https://blueprints.launchpad.net/mogan/+spec/lock-instances
|
|
|
|
This spec proposes to provide the lock REST API, then operators do not
|
|
have to worry about instances could be terminated by mistaken.
|
|
|
|
Problem description
|
|
===================
|
|
|
|
In Mogan, we provided REST API to delete baremetal servers when do not need
|
|
any more. However, there is no limit of delete REST API usage. So user can
|
|
delete baremetal server in any circumstances. This change proposes to add
|
|
the lock REST API to disable terminate baremetal server if necessary.
|
|
|
|
Use Cases
|
|
---------
|
|
|
|
when booting a baremetal server, a delete request from other users by
|
|
mistaken is unacceptable. To avoid this, lock your server is better.
|
|
|
|
For another use case, when maintaining, delete maintained baremetal
|
|
servers is also unacceptable. As an operator, if you want to maintain a
|
|
baremetal servers, You could lock baremetal servers to forbid deleting
|
|
operations. After maintaining, you need to unlock baremetal servers.
|
|
Then you can do other operations.
|
|
|
|
Proposed change
|
|
===============
|
|
|
|
* Modify the data model to record the lock state of instances.
|
|
* Add the lock REST API to lock/unlock instance.
|
|
|
|
Alternatives
|
|
------------
|
|
|
|
Maybe leveraging the instance state instead of adding a new locked field
|
|
is an alternative. While, if we want to lock an buiding instance, it`s
|
|
difficult to deal with the lock state and build state with only one state
|
|
column.
|
|
|
|
Data model impact
|
|
-----------------
|
|
|
|
The `mogan.objects.instance.Instance` object would have new `locked` and
|
|
`locked_by` field of type `mogan.objects.fields.ListOfStrings` that would
|
|
be populated on-demand(i.e. not eager-loaded).
|
|
|
|
A locked shall be defined as a tinyint no longer than 1 bytes in length,
|
|
and the locked_by shall be defined as an enum with owner and admin as its
|
|
valid values.
|
|
|
|
For the database schema, the following table changes would suffice ::
|
|
|
|
ALTER TABLE `instances`
|
|
ADD COLUMN `locked` tinyint(1) NULL DEFAULT NULL,
|
|
ADD COLUMN `locked_by` enum('owner','admin') NULL DEFAULT NULL;
|
|
|
|
|
|
REST API impact
|
|
---------------
|
|
|
|
|
|
* Request method:
|
|
* PUT
|
|
|
|
* URL:
|
|
* /instances/{instance_uuid}/states/lock
|
|
|
|
*Lock an instance*
|
|
|
|
* Parameters for request ::
|
|
|
|
{
|
|
"target": true
|
|
}
|
|
|
|
*Unlock an instance*
|
|
|
|
* Parameters for request ::
|
|
|
|
{
|
|
"target": false
|
|
}
|
|
|
|
* Normal HTTP response code:
|
|
* `202 ACCEPTED`
|
|
|
|
* Expected error http response codes
|
|
* `400 BadRequest`
|
|
The request params were invalied
|
|
|
|
* `404 NotFound`
|
|
The instance requested to be lock was not found
|
|
|
|
* `403 Forbidden`
|
|
The user has no access to request this API
|
|
|
|
* `409 Conflict`
|
|
The instance requested to be lock or unlock was not in valid status
|
|
|
|
* Policy changes:
|
|
**Only Admin and owner is allowed to request these API.**
|
|
* If `Admin` locked an instance, only `Admin` can unlock it.
|
|
* If `Owner` locked an instance, both `Owner` and `Admin` can unlock it.
|
|
* If an instance has been locked, **UNLOCK** was only allowed for `Owner`
|
|
and `Admin`. And, other operations should be denied for non-admin.
|
|
|
|
Security impact
|
|
---------------
|
|
|
|
None
|
|
|
|
Notifications impact
|
|
--------------------
|
|
|
|
None
|
|
|
|
Other end user impact
|
|
---------------------
|
|
|
|
As part of this effort we will also need to add the support to
|
|
python-moganclient.
|
|
|
|
Performance Impact
|
|
------------------
|
|
|
|
None
|
|
|
|
Other deployer impact
|
|
---------------------
|
|
|
|
None
|
|
|
|
Developer impact
|
|
----------------
|
|
|
|
None
|
|
|
|
Implementation
|
|
==============
|
|
|
|
Assignee(s)
|
|
-----------
|
|
|
|
Primary assignee:
|
|
zhangjialong <zhangjl@awcloud.com>
|
|
|
|
Other contributors:
|
|
jolie <guoshan@awcloud.com>
|
|
|
|
Work Items
|
|
----------
|
|
|
|
* Modify the database model of instances.
|
|
* Add lock REST API to lock and unlock instances.
|
|
* Valid an instance is locked before execute other operations.
|
|
* Support the new lock REST API in python-moganclient.
|
|
|
|
|
|
Dependencies
|
|
============
|
|
|
|
None.
|
|
|
|
Testing
|
|
=======
|
|
|
|
* Unit tests will be added to Mogan for testing the new
|
|
REST API.
|
|
|
|
Documentation Impact
|
|
====================
|
|
|
|
The in-tree API reference will be updated for the mogan REST API
|
|
documentation.
|
|
|
|
References
|
|
==========
|
|
|
|
None
|