3 Replies Latest reply on Mar 17, 2014 5:53 AM by tsegismont

Dynagroups, Resources for Authorization, Targets for Deployment

ehle Dec 16, 2013 6:28 PM

Hello,

I'm trying to figure out how to organize dynagroups and roles so that:

DynaGroup Definitions auto create resource "group" for each Developement JBoss instance, AND any users with new "Developers" Role can deploy bundles to these targets.

I can create a dynagroup of "all the dev instances" like so:

ALL EAP6 Dev Instances

resource.type.plugin = JBossAS7

resource.type.category = SERVER

resource.parent.type.category = PLATFORM

groupby resource.pluginConfiguration[productType]

groupby resource.type.name

resource.parent.trait[Trait.hostname].contains = -dev

Recursive - yes

Recalculate 10

I can add that group to the list of resources my developer role's privileges apply to, but it doesn't produce drop list entries if a developer wants to create a bundle deploy destination for a specific instance instead of all of them.

I can auto-create unique instances "groups: for each dev system with something like this...

JBoss Dev:

resource.type.plugin = JBossAS7

resource.type.category = SERVER

resource.parent.type.category = PLATFORM

groupby resource.type.name

groupby resource.parent.name

resource.parent.trait[Trait.hostname].contains = -dev

Recursive -Yes

Recalculate 10

But I would then need to add each dynamically created group to the list of resources my developer role's privileges apply to, and remember to update it each time a new instance is discovered. I don't seem to be able to add the parent dynagroup that creates them as a resource, and adding the "ALL EAP6 Dev Instances" resource to the the role, doesn't seem to let a member of the developer role see the "JBoss Dev" child groups in the destination drop down list or give the rights to deploy to them.

So is there a way I can have my cake and eat it too? I want the role to automatically have commit access to all the resource groups that my "JBoss Dev" Dynamic Group definition creates, both in aggregate and individually. I feel like there should be a way to treat a "group of groups" as a role based security

Same question for working with Platforms - How do I give developer role access to all the groups created by:

Platform JBoss Dev

resource.trait[Trait.hostname].contains = -dev

resource.child.type.name = JBossAS7 Standalone Server

groupby resource.name

Recursive - Yes

Recalculate interval 10

Any ideals or help would be much appreciated.

Thanks!

David.

1. Re: Dynagroups, Resources for Authorization, Targets for Deployment

ehle Mar 10, 2014 5:54 PM (in response to ehle)

So I eventually figured out what I really wanted to do there - with help from RH JBoss JON Support.

The solution is to run a rhq cli script from cron, that periodically updates authorization:

I hesitate to post the script provided by support since I'm not sure what the rights to distribution would be, but the logic went like:

Get Resource groups with Role data
Get Roles
Create list of resource groups with a given criteria such as "-dev" in name
Loop through the rolls and if the role matches the name of the role you want, assign the resource group to that roll

Sorry if that is cryptic.

Good luck!
1 of 1 people found this helpful
Actions
2. Re: Dynagroups, Resources for Authorization, Targets for Deployment

genman Mar 17, 2014 12:04 AM (in response to ehle)

I do a lot of things driven by the CLI.

It would be be helpful if RHQ supported having CLI scripts scheduled and uploaded to the server.

Still, writing something in pure Java, compiled has its advantages as well.
Actions
3. Re: Dynagroups, Resources for Authorization, Targets for Deployment

tsegismont Mar 17, 2014 5:53 AM (in response to genman)

It would be be helpful if RHQ supported having CLI scripts scheduled and uploaded to the server.

If you're interested, please comment on Bug 1023353 - RFE: New GUI component to execute CLI scripts
Actions

Go to original post