Re-propose convert consoles code to use objects framework

This was approved for Queens in change: I64256c091c934e93bade886363b2ceacd73a7c17 Updates here are assignee and adding the upgrade impact section. Previously-approved: Queens Spec for blueprint convert-consoles-to-objects Change-Id: Idadb7deac773546744a55b3f006bccf3c5bdd13a
2018-02-13 00:21:23 +00:00 · 2018-02-13 00:21:23 +00:00 · 84c53c9b98
parent 41ab5455f8
commit 84c53c9b98
1 changed files with 286 additions and 0 deletions
--- a/specs/rocky/approved/convert-consoles-to-objects.rst
+++ b/specs/rocky/approved/convert-consoles-to-objects.rst
@ -0,0 +1,286 @@
+..
+ This work is licensed under a Creative Commons Attribution 3.0 Unported
+ License.
+
+ http://creativecommons.org/licenses/by/3.0/legalcode
+
+=========================================
+Convert Consoles To Use Objects Framework
+=========================================
+
+https://blueprints.launchpad.net/nova/+spec/convert-consoles-to-objects
+
+Make consoles to use the objects framework -- the current console code
+does not take advantage of the framework objects, instead it provides
+some types (console/type.py) to handle them. These types do not
+provide any features to handle versioning, RPC or any kind of methods
+to make them useful.
+
+
+Problem description
+===================
+
+The current code does not provide any mechanism to handle versioning.
+Additionally, since RPC cannot handle classes derived from the Python object
+type, we need to handle a dict "connect_info" between RPC calls and no
+way is provided to share the state of the console across processes.
+
+Another problem comes with the token, memcached is not a database and
+cannot guarantee that the expire time will be respected, a token can
+expire before that limit (eviction). By using the framework objects
+we can get the opportunity to store the whole state of Console object
+with a valid token in the database and share the state between
+process.
+
+For instance bug 1425640 needs to know when an user is connected to a
+particular port from a number of perspectives: from the compute node, to
+return the next port defined and not connected; from the proxy to
+reject new connections on already connected port from the API to
+let user informed no more port are available.
+
+We will also enhance security by only storing a hash of tokens in the
+database after to have returned the clean one to the users. Then when
+users will request to connect a console the token passed will be
+hashed and compared to the one stored in the database for validation.
+
+A new option will be introduced ``[workarounds]enable_consoleauth`` which will
+allow operators to opt-in to enabling use of both the database and legacy
+consoleauth backend at the same time. The use case for this is if the operator
+does not want all of their already existing console authorizations to be
+invalidated once the database backend is available. Usually, the TTL for
+console authorizations is short-lived (default is 10 minutes) so invalidating
+existing consoles should not be a problem in the usual case. However, if an
+operator has configured much longer TTL, they may want to take advantage of the
+``[workarounds]enable_consoleauth`` option to allow fall back to consoleauth
+for already existing consoles. Once all pre-database-backend console
+authorizations have expired, the operator may set
+``[workarounds]enable_consoleauth`` back to False and stop running the
+consoleauth service.
+
+The consoleauth service will be retained for legacy compatibility but
+in a deprecated status, supported for one release. After the
+period the consoleauth service can be removed.
+
+Because the new tokens will go in the database we need to consider
+cells v2. The child cell database is the appropriate place for console
+connection info because it relates directly to instances. Currently
+the console connection URLs returned to the user only contain a token.
+This is not sufficient to determine which cell holds the console
+connection. An initial idea for handling this was to add the instance uuid to
+the console proxy URL and use it to target the instance's cell database for the
+verification of the origin protocol by the console proxy. However, when we
+added the instance uuid to the URLs, the Tempest jobs failed on the noVNC tests
+because noVNC was not able to separate more than one query parameter in the
+URL, so the ``?instance_uuid=<uuid>`` portion of the URL was being considered
+as part of the token, the first query parameter ``token=<token>``. So, instead
+we will resolve the cell database issue by running console proxies per cell
+instead of global to a deployment, such that the cell database is local
+to the console proxy. This approach is backward compatible with the existing
+console proxies and also decreases load on a large deployment by sharding
+proxies per cell instead of all consoles for the deployment going through one
+centralized proxy.
+
+Use Cases
+----------
+
+Developer can take advantage of using the framework objects when
+adding a new console or features.
+
+Proposed change
+===============
+
+* Define a new ConsoleAuthToken object.
+* Convert drivers to generate ConsoleAuthToken object.
+* Define schema and API to store ConsoleAuthToken object in child cell
+  database.
+* Update code to store ConsoleAuthToken with valid token in database
+  or consoleauth dependant on the switch until consoleauth is removed.
+* Update proxies to use the database or consoleauth dependant on the
+  switch until consoleauth is removed.
+* Define a periodic task to clean expired object stored in database;
+  To balance the load and avoid blocking the database during too much
+  time each compute nodes will be responsible to clean connection_info
+  for guests they host.
+* Add a config option ``[workarounds]enable_consoleauth`` defaulting to
+  False that operators can opt-in to if they wish to run the legacy
+  consoleauth service to fall back on if they have configured long TTL
+  for console authorizations and do not wish to have already existing
+  consoles invalidated once the database backend is available.
+* Update documentation to reflect the new required deployment layout
+  where console proxies are run per cell.
+* Fix bug 1425640
+
+Alternatives
+------------
+
+Continue to use memcached as a backend will make the behavior of
+connection information not previsible since objects can be
+evicted. Also in order to fix issue 1425640 and 1455252 a scan has to
+be done to list available ports which is difficult when using
+memcached without add specific code to maintain a list of stored keys.
+
+Data model impact
+-----------------
+
+A new ConsoleAuthToken model needs to be defined with attributes:
+
+- instance: an instance which refer the console
+- host: a string field to handle hostname
+- port: an int field to handle service number
+- token_hash: a string field to handle a token or null
+- access_url: a string field to handle access or null
+- options: a dict field to handle particular information like usetls,
+  internal_access_path, mode...
+- expires: a date time to indicate when the token expires or null
+
+The database schema ::
+
+    CREATE TABLE console_connection (
+         instance_uuid CHAR(36) NOT NULL,
+         host VARCHAR(255) NOT NULL,
+         port INT NOT NULL,
+         token_hash CHAR(40),
+         access_url VARCHAR(255),
+         options TEXT,
+         expires DATETIME,
+
+         PRIMARY KEY (instance_uuid, host, port),
+         INDEX (token, instance_uuid),
+         FOREIGN KEY (instance_uuid)
+           REFERENCES instances(uuid)
+           ON DELETE CASCADE
+    );
+
+.. note::
+
+    No migration are expected from serialized dicts connection info
+    stored in memcached to the database, during the upgrade clients
+    already connected to consoles will keep their connections until
+    proxy will be restarted. At this step we expect to have the
+    consoleauth service to also have been restarted.
+
+REST API impact
+---------------
+
+None
+
+Security impact
+---------------
+
+In the point of view of tokens we can expect a better security since
+currently tokens are stored in memcached which does not provide any
+security layer. Now only hash of tokens will be stored in the database
+also security policy will enhanced to be the same than other critical
+components stored in database.
+
+Notifications impact
+--------------------
+
+None
+
+Other end user impact
+---------------------
+
+When proxyclient will be restartred users will be disconnected from
+our consoles but should reconnect to it with the same token if not
+already expired.
+
+Performance Impact
+------------------
+
+The database load will increase but we can expect that with a minimal
+impact for DBA.
+
+Other deployer impact
+---------------------
+
+The consoleauth service must be restarted before proxy services. When
+proxy will be restarted clients will be disconnected from consoles.
+consoleauth will continue to work as backend until a deprecated period
+of one release operator are encouraged to switch on the database
+backend (see option: console_tokens_backend).
+
+If the deployer choses to use the database to store console connection
+information the consoleauth service will not be required.
+
+Developer impact
+----------------
+
+None
+
+Upgrade impact
+--------------
+
+New console token authorizations will be stored in the database but already
+existing consoleauth service token authorizations will continue to work until
+their TTLs expire, if the operator has set
+[workarounds]enable_consoleauth = True before upgrading (the default is False).
+Once all of the old consoleauth service token authorizations have expired, the
+flag should be disabled and it will no longer be necessary to run the
+consoleauth service.
+
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+  melwitt
+
+Other contributors:
+  sahid-ferdjaoui
+
+Work Items
+----------
+
+* Convert code to use objects framework
+* Update consoleauth to take advantage of the database to handle
+  tokens
+* Fix bug 1425640
+
+Dependencies
+============
+
+None
+
+Testing
+=======
+
+The current code is already tested by functional and unit tests since
+we do not provide any feature we can consider that the code will be
+well covered by those tests.
+
+The new version will be tested in the gate.
+
+Documentation Impact
+====================
+
+The cell deployment layout documentation will be updated to reflect the new
+requirement that console proxies must be run per cell instead of global to
+a deployment.
+
+References
+==========
+
+None
+
+History
+=======
+
+.. list-table:: Revisions
+   :header-rows: 1
+
+   * - Release Name
+     - Description
+   * - Liberty
+     - Introduced
+   * - Newton
+     - Re-proposed
+   * - Pike
+     - Re-proposed
+   * - Queens
+     - Re-proposed
+   * - Rocky
+     - Re-proposed