Browse Source

Adds specification for lock instances

Simple string locking of instances.
Design for blueprint lock-instances

Implements: blueprint lock-instances
Co-Authored-By: jolie <guoshan@awcloud.com>

Change-Id: I33967d0867bb225bb215180d8e81e9878a3b58ff
zhangjl 2 years ago
parent
commit
7b9f73abb4
1 changed files with 189 additions and 0 deletions
  1. 189
    0
      specs/ocata/approved/lock-instance-api.rst

+ 189
- 0
specs/ocata/approved/lock-instance-api.rst View File

@@ -0,0 +1,189 @@
1
+..
2
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
3
+ License.
4
+
5
+ http://creativecommons.org/licenses/by/3.0/legalcode
6
+
7
+=================================================
8
+Add lock API for changing instance to lock/unlock
9
+=================================================
10
+
11
+https://blueprints.launchpad.net/mogan/+spec/lock-instances
12
+
13
+This spec proposes to provide the lock REST API, then operators do not
14
+have to worry about instances could be terminated by mistaken.
15
+
16
+Problem description
17
+===================
18
+
19
+In Mogan, we provided REST API to delete baremetal servers when do not need
20
+any more. However, there is no limit of delete REST API usage. So user can
21
+delete baremetal server in any circumstances. This change proposes to add
22
+the lock REST API to disable terminate baremetal server if necessary.
23
+
24
+Use Cases
25
+---------
26
+
27
+when booting a baremetal server, a delete request from other users by
28
+mistaken is unacceptable. To avoid this, lock your server is better.
29
+
30
+For another use case, when maintaining, delete maintained baremetal
31
+servers is also unacceptable. As an operator, if you want to maintain a
32
+baremetal servers, You could lock baremetal servers to forbid deleting
33
+operations. After maintaining, you need to unlock baremetal servers.
34
+Then you can do other operations.
35
+
36
+Proposed change
37
+===============
38
+
39
+* Modify the data model to record the lock state of instances.
40
+* Add the lock REST API to lock/unlock instance.
41
+
42
+Alternatives
43
+------------
44
+
45
+Maybe leveraging the instance state instead of adding a new locked field
46
+is an alternative. While, if we want to lock an buiding instance, it`s
47
+difficult to deal with the lock state and build state with only one state
48
+column.
49
+
50
+Data model impact
51
+-----------------
52
+
53
+The `mogan.objects.instance.Instance` object would have new `locked` and
54
+`locked_by` field of type `mogan.objects.fields.ListOfStrings` that would
55
+be populated on-demand(i.e. not eager-loaded).
56
+
57
+A locked shall be defined as a tinyint no longer than 1 bytes in length,
58
+and the locked_by shall be defined as an enum with owner and admin as its
59
+valid values.
60
+
61
+For the database schema, the following table changes would suffice ::
62
+
63
+    ALTER TABLE `instances`
64
+    ADD COLUMN `locked`  tinyint(1) NULL DEFAULT NULL,
65
+    ADD COLUMN `locked_by`  enum('owner','admin') NULL DEFAULT NULL;
66
+
67
+
68
+REST API impact
69
+---------------
70
+
71
+
72
+* Request method:
73
+    * PUT
74
+
75
+* URL:
76
+    * /instances/{instance_uuid}/lock
77
+
78
+*Lock an instance*
79
+
80
+* Parameters for request ::
81
+
82
+    {
83
+        "target": true
84
+    }
85
+
86
+*Unlock an instance*
87
+
88
+* Parameters for request ::
89
+
90
+    {
91
+        "target": false
92
+    }
93
+
94
+* Normal HTTP response code:
95
+    * `202 ACCEPTED`
96
+
97
+* Expected error http response codes
98
+    * `400 BadRequest`
99
+      The request params were invalied
100
+
101
+    * `404 NotFound`
102
+      The instance requested to be lock was not found
103
+
104
+    * `403 Forbidden`
105
+      The user has no access to request this API
106
+
107
+    * `409 Conflict`
108
+      The instance requested to be lock or unlock was not in valid status
109
+
110
+* Policy changes:
111
+    **Only Admin and owner is allowed to request these API.**
112
+    * If `Admin` locked an instance, only `Admin` can unlock it.
113
+    * If `Owner` locked an instance, both `Owner` and `Admin` can unlock it.
114
+    * If an instance has been locked, **UNLOCK** was only allowed for `Owner`
115
+      and `Admin`. And, other operations should be denied for non-admin.
116
+
117
+Security impact
118
+---------------
119
+
120
+None
121
+
122
+Notifications impact
123
+--------------------
124
+
125
+None
126
+
127
+Other end user impact
128
+---------------------
129
+
130
+As part of this effort we will also need to add the support to
131
+python-moganclient.
132
+
133
+Performance Impact
134
+------------------
135
+
136
+None
137
+
138
+Other deployer impact
139
+---------------------
140
+
141
+None
142
+
143
+Developer impact
144
+----------------
145
+
146
+None
147
+
148
+Implementation
149
+==============
150
+
151
+Assignee(s)
152
+-----------
153
+
154
+Primary assignee:
155
+  zhangjialong <zhangjl@awcloud.com>
156
+
157
+Other contributors:
158
+  jolie <guoshan@awcloud.com>
159
+
160
+Work Items
161
+----------
162
+
163
+* Modify the database model of instances.
164
+* Add lock REST API to lock and unlock instances.
165
+* Valid an instance is locked before execute other operations.
166
+* Support the new lock REST API in python-moganclient.
167
+
168
+
169
+Dependencies
170
+============
171
+
172
+None.
173
+
174
+Testing
175
+=======
176
+
177
+* Unit tests will be added to Mogan for testing the new
178
+  REST API.
179
+
180
+Documentation Impact
181
+====================
182
+
183
+The in-tree API reference will be updated for the mogan REST API
184
+documentation.
185
+
186
+References
187
+==========
188
+
189
+None

Loading…
Cancel
Save