Updated Admin CLI commands to support tenants. #620
Conversation
|
@msterin I think you need to fix tests to remove "role" subcommand. For DS access, I only see maxVolSize. Does underlying API support maxNumVols or quota-Per-Datastore? |
|
@pdhamdhere - yes, that's what happens in a rush :-). Thanks for the review, I will fix tests/ add numvol/quota and refresh the PR |
msterin
force-pushed
the
cli-auth.msterin
branch
2 times, most recently
from
be031a4
to
94106c3
Compare
| @@ -11,7 +11,9 @@ All output from the admin cli defaults to human readable formats. It will be mad | |||
| The majority of testing will be automated. We can ensure that parsing calls the right callbacks with | |||
| the right information by generating representative input and mocking the callbacks to assert that | |||
| the right information is parsed and delivered correctly. Additionally, and specifically for testing | |||
| roles, we can create roles and then test that they act as expected by calling `role get`. Unit | |||
| access control, we can create access controk definition (tenants and privileges) | |||
| @@ -11,7 +11,9 @@ All output from the admin cli defaults to human readable formats. It will be mad | |||
| The majority of testing will be automated. We can ensure that parsing calls the right callbacks with | |||
| the right information by generating representative input and mocking the callbacks to assert that | |||
| the right information is parsed and delivered correctly. Additionally, and specifically for testing | |||
| roles, we can create roles and then test that they act as expected by calling `role get`. Unit | |||
| access control, we can create access controk definition (tenants and privileges) | |||
| and then test that they act as expected by invoking vmdk_ops commmands on behalf of a fake VM. | |||
There was a problem hiding this comment.
Can suggest using the dummy VM created with vim-cmd and say how that can be created.
| the subcommand. Subcommands can have further subcommands, but currently there is only | ||
| one level of subcommands in this specification. Each subcommand can contain the same | ||
| attributes as top level commands: (func, help, args, cmds). These attributes have | ||
| identical usage to the top-level keys, except they only apply when the subcommand is | ||
| part of the command. For example the `--matches-vm` argument only applies to `role | ||
| create` or `role set` commands. It will be invalid in any other context. | ||
| part of the command. For example the `--matches-vm` argument only applies to `tenant |
There was a problem hiding this comment.
The --matches-vm option seems to be removed. Remove it from here as well.
| @@ -121,6 +121,9 @@ def commands(): | |||
| 'attached-to', 'policy', 'capacity', 'used', | |||
| 'fstype', 'access', 'attach-as'], | |||
| 'metavar': 'Col1,Col2,...' | |||
| }, | |||
| '--tenant' : { | |||
| 'help': 'Displays only VMs for a given tenant' | |||
There was a problem hiding this comment.
Are there any entities to display besides VMs, if not then can reword as "Displays VMs for a given tenant".
| @@ -121,6 +121,9 @@ def commands(): | |||
| 'attached-to', 'policy', 'capacity', 'used', | |||
| 'fstype', 'access', 'attach-as'], | |||
| 'metavar': 'Col1,Col2,...' | |||
| }, | |||
| '--tenant' : { | |||
| 'help': 'Displays only VMs for a given tenant' | |||
There was a problem hiding this comment.
Should --tenant be a part of the ls command? It seems to be listing volumes by default.
Instead we could have like:
vmdkops_admin with commands like
a. volume - ls, create, rm, set
b. tenant - ls, create, rm, set
c.
Which is how most of the admin cli commands are laid out?
which matches with esxcli type command options where we have broad categories within which the same CRUD options are available (list, create, delete, ....)
There was a problem hiding this comment.
this command is supposed to do LS on volumes , filtered by a tenant.
| }, | ||
| '--remove-volumes': { | ||
| 'help': 'BE CAREFUL - Removes this tenant volumes when removing a tenant' | ||
| } |
There was a problem hiding this comment.
Or something like "WARNING: - Removes the named tenant's volumes from all datastores the tenant has access to.
There was a problem hiding this comment.
I don't think it's much better
| 'func': role_rm, | ||
| 'help': 'Delete a role', | ||
| 'func': tenant_rm, | ||
| 'help': 'Delete a tenant', |
There was a problem hiding this comment.
"Remove a tenant" as its tenant_rm vs. tenant_delete?
There was a problem hiding this comment.
yes, all commands are "rm"
| 'metavar': 'create,delete,mount' | ||
| }, | ||
| '--rm-rights': { | ||
| 'help': 'Datastore access Permissions granted', |
There was a problem hiding this comment.
"Datastore access permissions removed"
There was a problem hiding this comment.
Also, rm-rights must allow a way to specify a list of datastores or "all" datastores in one go.
| 'required': True | ||
| }, | ||
| '--datastore': { | ||
| 'help': "Datastore name", |
There was a problem hiding this comment.
This should really be a list, else users need to run the command for each and every datastore which is an effort.
There was a problem hiding this comment.
I agree but I am not sure how to configure it. @andrewjstone - any hints here ?
There was a problem hiding this comment.
I like the concept of accepting datastore list. However, that can be separate PR/improvement.
| 'args': { | ||
| '--name': { | ||
| 'help': 'The name of the tenant', | ||
| 'required': True |
There was a problem hiding this comment.
This should be a list, a use case would be user wants to retire a datastore. User should be able to get all tenants to stop using the datastore.
| 'args': { | ||
| '--name': { | ||
| 'help': 'The name of the tenant', | ||
| 'required': True |
There was a problem hiding this comment.
Again, list for named tenants or make required as "False" and when not provided list access for all tenants.
| @@ -324,7 +430,7 @@ def make_list_of_values(allowed): | |||
| Take a list of allowed values for an option and return a function that can be | |||
| used to typecheck a string of given values and ensure they match the allowed | |||
| values. This is required to support options that take comma seperated lists | |||
| such as --rights in 'role set --rights=create,delete,mount' | |||
| such as --rights in 'tenant set --rights=create,delete,mount' | |||
There was a problem hiding this comment.
Reword this to mention --add-rights or --rm-rights for tenent access set command.
There was a problem hiding this comment.
that is just an example in comments, it does not need to enumerate all usages
| @@ -352,6 +458,8 @@ def ls(args): | |||
| else: | |||
| header = all_ls_headers() | |||
| rows = generate_ls_rows() | |||
| if args.tenant: | |||
| print("TBD: print only VMS for the tenant ", args.tenant) # TODO | |||
There was a problem hiding this comment.
"Print VMs included for the tenant."
Note that the actual commands implementation is still TBD - this change only defines new command syntax and keywords
|
@govint - thanks for the review ! I replied to some of the comments and fixed the rest. Everything not replied to is fixed. |
msterin
force-pushed
the
cli-auth.msterin
branch
from
b0379ee
to
a6ca62f
Compare
| 'required': True | ||
| }, | ||
| '--datastore': { | ||
| 'help': "Datastore name", |
There was a problem hiding this comment.
I like the concept of accepting datastore list. However, that can be separate PR/improvement.
| 'func': role_rm, | ||
| 'help': 'Delete a role', | ||
| 'func': tenant_rm, | ||
| 'help': 'Delete a tenant', |
There was a problem hiding this comment.
Delete an "empty"? tenant?
|
CC/ @lipingxue Can you please review? |
* master: (25 commits) Update new ESX IP added forgotten .so file Install sqlite3 py libs on ESX and load for Python2 Added py code and binaries for sqlite3 python libs Update drone security Removed accidental .pyc files Handle byte to string conversions for status command. Auth configuration and operation admission check (Auth.liping) (vmware-archive#603) Revert "Cli auth.liping" Cli auth.liping (vmware-archive#640) Handle missing or invalid fs type on mount. (vmware-archive#639) Updated Admin CLI commands to support tenants. (vmware-archive#620) Workaround older versions of e2fsprogs (vmware-archive#631) Add auth proposal Made handing of missing metafile less harsh. (vmware-archive#627) Fixed ACLs in payload bin dir (vmware-archive#624) Fixed error handling for set command. (vmware-archive#610) Use new error variables when rolling back volume creation to avoid nil reassignment. (vmware-archive#617) Change wording Fix broken link ...
Defines the syntax for the following
vmdkops_admin.pycommands:Note that the actual commands implementation is still TBD - this change only defines
new command syntax and keywords. When invoked with correct arguments, the commands simply print
Not implemented.//CC @andrewjstone @lipingxue @marksoper
Note: doc update is tracked in #622
TESTED: manually , by asking for
--help. Log below