External-Mirrors/awx
2
0
Fork 0
mirror of https://github.com/ansible/awx.git synced 2026-02-17 03:00:04 -03:30
Code Issues Packages Projects Releases Wiki Activity

Init repo

Browse Source
This commit is contained in:
Michael DeHaan
2013-03-13 13:09:36 -04:00
parent bfdf725f3f
commit 5f0692e6d0
12 changed files with 1412 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

388
planning/api2.md Normal file
View File

@@ -0,0 +1,388 @@
API Overview
============
The following is a start to an API document.
Versioning and Semantics
========================
* All results will either be JSON lists or hashes.
* Only new fields will be added.
* Fields will not be removed.
* URLs are all discoverable, so discover them. Hardcode to prevent against changes, though we'll try not to move anything.
* If you have a 'href' value in JSON, the last part after the last "/", if a number, corresponds to a database ID.
* No IDs will be returned bare, that is, just as integers.
* Objects in list results will be summarized and not include all field info. Usually just an href + type + name + description. Sometimes more.
* All IDs are "big serial" type.
* All JSON returns should have a 'type' in easy structure saying the object type.
Hashes will typically have:
{
'href' : 'http://...' # the resource URL
'name' : 'Fred' # the name of the object (non-unique)
'description' : '...' # some free text describing the object
'tags' : [ # some optional freeform tags
'asdf', 'jkl'
]
'audit_trail': href,
}
API discovery
=============
The root of the API here will be denoted as '/', though for all practical purposes it could be anything.
Getting '/' will return the URLs of other endpoints that are useful. There is no security to get '/',
though everything else requires a username+password. If you first get "/" you can see all of the API URLs
you can use and walk them.
/
GET -- List all of the available API endpoints to enable service discoverability
{
'organizations' : '/orgs',
'users' : '/users',
'projects' : '/projects',
# etc
}
Authentication
==============
An initial user will be created in the database.
URLs require authentication (AuthN) in basic username:password format.
Tokens also supported (/login). TBA.
Authorization varies by URL (see use_cases.md for roles)
Sync scripts will be created to pull from AD and so on.
Pagination
==========
API calls for lists will be paginated.
The default start index will be 0 and the default number of records per page will be 99.
Affix the following the URL to specify differently.
?
Audit Records
=============
Audit trail records are recorded for most edit types.
/audit
GET -- lists all the audit records the user has access to
/audit/#{audit_id}
GET
{
'href' : /audit/12345
'id' : ...
'record_type' : ... # what type of audit trail, for example 'user'
'resource' : href
'date' : ...
'modified_by' : href
'delta' : # for put operations, any fields that are changed, for creation, any added. RAW JSON.
'detail' : some string message set by the system
'comment' : [], comments supplied by the user, if any
'tags' : [] # tags the user may have added, like 'investigate'
}
PUT -- requires org admin
allows modification, but only to set tag fields and add comments. Previous comments
are not edited, so the last comment in the list only will be saved (if different)
Organizations
=============
/orgs
GET -- List all of the available organizations the user is in, or all, if site admin
[
{
'href' : '...',
'id' : 12345,
'name' : 'Finance',
'description' : '...'
}, ...
]
POST -- Add a new organization
/orgs/#{org_id}
GET -- Get the details of an organization
PUT -- Updates an organization
DELETE -- Expires an organization
/orgs/#{org_id}/users/
GET -- Lists users in an organization
POST -- Add a user record to the organization
/orgs/#{org_id}/users/#{user_id}
/orgs/#{org_id}/admins/
GET -- list the admins
POST -- make a user an admin
/orgs/#{org_id}/admins/{#user_id}
DELETE -- demote an admin
Users
=====
/users/
GET - list all users I can see based on my permissions
/users/#{user_id}/
GET - show the specific user if I have permission
DELETE - expires the user but doesn't delete them, requires org admin access
/users/#{user_id}/credentials/
GET - show the credentials set on the user
other ops through the /credentials/#{cred_id} URL
/users/#{user_id}/permissions/
GET - see what permissions the user has assigned, but can't edit here
other ops through the /permissions/#{cred_id} URL
/users/#{user_id}/teams/
GET - see what teams the user has defined, but not editable here
other ops through the /teams/#{team_id} URL
/users/#{user_id}/projects/
GET - see what projects the user is a part of, but you can get this through the indiv teams too
other ops through the /projects/#{project_id} URL
Teams
=====
/teams/
GET -- shows all the teams the user is on, or if admin/org admin, all teams
POST -- make a new team
/teams/#{team_id}/users/
GET -- show users on the team
POST -- add an existing user to the team
/teams/#{team_id}/users/#{user_id}
DELETE -- kick the user off the team
/teams/#{team_id}/projects/
GET -- shows all the projects on the team if you can see the team
POST -- share a project with a team
other ops through /projects/#{project_id}
/teams/#{team_id}/users/
GET -- shows all uses on the team if you can see the team
other ops through /users/#{user_id}
/teams/#{team_id}/credentials
GET -- gets the credential records of the team, recommended for close friends, otherwise upload to user acct
other ops through
/teams/#{team_id}/permissions/
GET -- show all permissions that were assigned to the team
Projects
========
/projects/
GET -- show all the projects the user can see
POST -- make a new project
/projects/#{project_id}
GET -- show the project if someone is allowed to read the info
/projects/#{project_id}/inventory/
GET -- get the inventory records assigned to this project
/projects/#{project_id}/inventory/#{inventory_id}
DELETE -- remove inventory source from project
/projects/#{project_id}/users/
GET -- users on the project
/projects/#{project_id}/users/#{user_id}
DELETE(id) -- remove user from project
POST -- add user to project if allowed
/project/#{project_id}/credentials/
GET -- show credentials on project
/project/#{project_id}/credentials/#{credential_id}
DELETE -- remove credentials
/project/#{project_id}/permissions
GET -- see all the permissions on the project
delete permissions through /permissions/#{permission_id}
Inventory
=========
/inventory/
GET -- see all the inventory sources the user is allowed to see
/inventory/#{inventory_id}
GET -- see the specific source
DELETE -- expire the inventory source if sufficient permission
/inventory/#{inventory_id}/hosts
GET -- see hosts
POST -- add hosts and associate
/inventory/#{inventory_id}/groups
GET -- see groups
POST -- add groups and associate
/inventory/#{inventory_id}/permissions
GET -- see all permissions for everyone granted on the inventory source, if you have access
Hosts
=====
Note: must be created via inventory source
/hosts/
/hosts/#{host_id}
GET -- see the host record
/hosts/#{host_id}/vars
GET -- see the host vars
PUT -- edit them
/hosts/#{host_id}/groups/
GET -- see the groups
POST -- add some more groups to the host
Groups
======
/groups/
GET -- see all the groups the user can see
/groups/#{group_id}
GET -- see the specific group
/groups/#{group_id}/vars
GET -- see the vars
PUT -- edit them
/groups/#{group_id}/hosts/
GET -- see the hosts in the group
POST -- add existing host records to the group
/groups/#{group_id}/subgroups/
GET -- see the direct subgroups
POST - add an existing group to the group as a subgroup
Permissions
=====================
/permissions/
GET -- see all the permissions that map to any of the users contexts (??)
/permissions/#{permission_id}
{
href: href,
project: href,
team: href,
user: href,
inventory: href,
allowed: [
'edit', 'push', 'check', 'view', 'logs'
]
}
GET
DELETE
Jobs
====
/jobs/
GET -- get a list of active jobs you can see
POST -- add a job, rather specific as to what this is...
/jobs/#{job_id}
GET -- get info about a job
DELETE -- remove a job
The most obvious job you will want to do is to deploy a project against an inventory source.
POST /jobs/
{
'inventory_id' : href,
'project_id' : href,
'ansible_tags' : [],
'job_type' : href,
}
and you'll get back an event ID you can poll
{
'id' : href,
'type' : event,
}
Where job_types are in the database too and public:
/job_types/
As are job status types
/job_status_types/
Events
======
/events/
GET -- root of the event service
/events/jobs/
GET -- get all events for the job
/events/jobs/#{job_id}
GET -- event info
{
id: 'href'
type: 'event'
status: 'running'
}
/host_status/
/hosts_status/#{host_id}/status
GET -- get all statuses for the host
{
id: href
date: date
host_id: href
success: true
event_id: href
}
/host_log_records/#{host_log_id}
GET
{
id: href
host_id: href
event_id: href
success: true/false
skipped: true/false
failed: true/false
dark: true/false
}
Reporting
=========
/reporting/ <- incoming messages go here
POST -- accepts remote reporting events. Requires a host id.

88
planning/mockups.md Normal file
View File

@@ -0,0 +1,88 @@
User default view -- buttons appear/disappear based on permissions
/web/home
[TEAMS] -- all teams with permissions shown here
t1 [ view ] [ edit ]
t2 [ view ] [ edit ]
[+ create team]
[PROJECTS] -- all projects with permissions shown here
() p1 [ view ] [ edit ]
() p2 [ view ] [ edit ]
() p3 [ view ] [ edit ]
[+ create project]
[INVENTORIES] -- all inventories with permissions shown here
() i1 [ view ] [ edit ]
() i2 [ view ] [ edit ]
[+ create inventory]
[CREDENTIALS] -- team and user creds shown here
() c1 [ view ] [ edit ]
() c2 [ view ] [ edit ]
[+ user cred]
Org Page Edit/View
/web/org/#{org_id}
[ users listing/adding/deleting admin widget ] -- can add/see users if org admin
[ projects listing/adding/deleting admin widget ] -- can add/see if org admin
Team Page Edit/View
/web/team/#{team_id}
[ users listing/adding/deleting admin widget ] -- can add if org admin, can see if on team
[ credentials listing/adding/deleting admin widget ] -- can create/edit team creds here if on team
[ projects listing/adding/deleting admin widget ] -- can add existing proj to team if org admin, see if on team
Project Page Edit/View
/web/project/#{project_id}
see what teams share this project, links to them
[ view/edit properties ]
[ PUSH ] [ CHECK ] buttons
must select an inventory source
must select a credential the user or team has for that source
in order to enable
clicking button gets you a link to the page in events
Events Page
/web/events/
you can see all the events on things you have inventory
access for.
Jobs Page
/web/jobs
you can see all the pages you have inventory access for
Inventory Page Edit/View
/web/inventory/#{inventory_id}
[ groups listing/adding/deleting widget ]
[ hosts listing/adding/deleting widget ]
[ links on each host to log data ]
Individual edit pages
what you can do varies by access level
/web/hosts/N
/web/groups/N
/web/users/N
/web/projects/N
viewer and editor as appropriate
for filesystem tree
will presumably NOT be super-graphical/editable in additional round
Cloud9 IDE?
`

67
planning/use_cases.md Normal file
View File

@@ -0,0 +1,67 @@
Roles
=====
a user can be:
Regular User
Site Admin
Org Admin
User on a Team
Regular User
============
* can login
* can logout
* can change some user info but not their username (can change pass)
Site Admin
==========
* probably installed the platform from a playbook before using the tool
* can make user accounts
* can promote users to site admin (or remove that)
* can add existing users to any organization
* is automatically an admin of all orgs
Org Admin
=========
* can create users (they are auto assigned to the org)
* can kick users out of the org
* can promote users to org admin or demote them
* can create an inventory source
* can share an inventory source with a team or user with set permissions
- ability to edit
- ability to push
- ability to run in check mode
- ability to view
- ability to see log data
* can create a project in the org
* can create a team in the org
* can associate a project with one or more teams in the org
* can add users to projects or take them away
A Project
=========
* has a git repository path (previously unused or used exactly once in DB)
* may have credentials
A Credential
============
* ssh key location (new or only used once)
* ssh unlock
* password
* sudo password
* pem file location (new or only used once)
A User
======
* can login
* can logout
* may have credentials
* can push to any inventory source (or check, view, etc) if they have permission on that source via a team membership, directly, an org membership, etc. The links to do so are found in the context of the project. A user may acquire permissions on an inventory source via multiple routes. Permissions are usually locked around a particular project.
* can view logs on hosts if they have similar permissions on that inv. source