Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support optional approval of Jobs before execution #125

Closed
lampwins opened this issue Mar 9, 2021 · 4 comments
Closed

Support optional approval of Jobs before execution #125

lampwins opened this issue Mar 9, 2021 · 4 comments
Assignees
@lampwins
Labels
type: feature Introduction of new or enhanced functionality to the application
Projects
Release v1.1.0
Milestone
v1.2.0

Comments

@lampwins
Copy link
Member

lampwins commented Mar 9, 2021

Environment

  • Python version: 3.7
  • Nautobot version: 1.0.0b2

Proposed Functionality

Support the ability for Jobs to require the approval of a Nautobot user before the job is executed. When such a job has been defined, user Bob will be able to provide input to the job as normal and may execute the job in Dry-run mode, but may not execute the job in non-dry-run mode. When Bob is happy with his input, he may save the job which will request approval from user Sally. Sally has permission to approve executions of this particular job, and sees a queue of executions awaiting her approval. Sally may view the input to the job and the dry-run results. Sally may also run the job in dry-run mode again to see if anything is different, given the time delay in the approval. Once happy, Sally may approve the job in which case it is finally executed in non-dry-run mode. The job execution is attributed to Bob, but Sally is marked as the approver.

Adding the ability to store the job input and recall it later is straightforward, but there are a few options for specifying the necessary approval components. There are two prevailing paradigms for identifying and granting approval permissions to jobs:

  1. The possible list of approver users and/or groups is defined in the Job's Meta inner class. I.e. defined in the job code itself.
  2. An approver permission is automatically created in the Nautobot core, based on the name of the job. Administrators would need to assign this permission to applicable users/groups using the existing permissions framework. In this case, the Job still needs a way to specify if approval is actually necessary. This would likely be a boolean flag on the Job's Meta inner class.

From there we need a queue list view to show all jobs awaiting approval, with the ability to remove them from the queue when needed. It also makes sense to support an API endpoint for approving a job.

Use Case

Many types of data changes in Nautobot are both sensitive and critical in nature and thus correctness of the change execution is very important. Jobs offer a great step in the direction of correctness but many users and organizations would benefit from an added layer of peer review and timing orchestration to data changes. Today this can be managed with external tooling using the many extensibility features, but a direct approval step on Job execution would provide a simple but powerful mechanism to address many of these concerns.

Database Changes

A couple of changes to the Jobs mechanics are needed, particularly the ability to save the input for a job, to be executed later.

External Dependencies

None
@lampwins lampwins added status: under review type: feature Introduction of new or enhanced functionality to the application labels Mar 9, 2021
@jedelman8
Copy link
Contributor

Really like this. Going to tentatively put in for 1.1

@jedelman8 jedelman8 added this to the v1.1.0 milestone Mar 24, 2021
@jedelman8 jedelman8 added this to To do in Release v1.1.0 via automation Apr 26, 2021
@jedelman8
Copy link
Contributor

This didn't make 1.1.0, but is definitely in progress and will be released in 1.2.0.

@jedelman8 jedelman8 modified the milestones: v1.1.0, v1.2.0 Jul 16, 2021
@jedelman8 jedelman8 mentioned this issue Aug 6, 2021
Open
@glennmatthews
Copy link
Contributor

Part 1 of this functionality was implemented in #805.

glennmatthews added a commit that referenced this issue Aug 27, 2021
@glennmatthews
Add initial release-notes for #125 and #374
39dcc52
@hellerve hellerve mentioned this issue Sep 1, 2021
Merged
This was referenced Sep 2, 2021
Merged
Merged
@hellerve hellerve mentioned this issue Sep 10, 2021
Merged
@glennmatthews
Copy link
Contributor

Addressed by #805, #874, #879, #908.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lampwins lampwins

Labels
type: feature Introduction of new or enhanced functionality to the application
Projects
No open projects
Release v1.1.0
To do
Milestone
v1.2.0
Development

No branches or pull requests
3 participants
@lampwins @glennmatthews @jedelman8