Fixes #6835 - support filtered API for oVirt

[ares]

No description provided.

[ohadlevy]

you can use the serialized attribute instead of adding db columns that do not fit other compute resources?

[ares]

I can, I don't want to :-) especially in this table I don't expect thousands of records and I think the number of downsides it brings is too big (migration touching serialized data, possible inconsistency between two objects of same class, faulty implementation that uses method_missing without defining respond_to?)

[ares]

@ohadlevy anything else I could do to get this ready for merge?

[iNecas]

Tested and works well. 👍 code-wise from me

[ares]

Thank you, setting ready to merge so someone with permissions could merge.

[domcleal]

Sorry, I'm going to unset it unless a committer's reviewed it. (Looks like that's @ohadlevy.)

[ohadlevy]

/me delegate to @tbrisker :)

[ares]

Great, it got things moving :-) Sorry if it was too bold.

[tbrisker]

How about making the help_block an inline popover?
Also, nitpick, you are repeating yourself in the text. I think "If you don't have admin permissions you can use slower filtered API." should be enough.

[ares]

that was my first attempt but it looked weird

but I can add it if you think it's better

[tbrisker]

I think if you use :help_inline instead of :help_block it should look better.

[ares]

I'm not sure if it looks any better

This is what we have for interfaces flag, also does not look great to me.

I think I find this the best.

Which one do you prefer?

[tbrisker]

@ares tested, this works just fine. Once the comment about the help text is fixed I'll merge.

[ares]

@tbrisker I improved error handling that was asked in #3308 (diff). I keep it in separate commit for easier reviewing, I'll squash after review.

[ares]

btw tests failures are unrelated

[tbrisker]

Also make sure terminology here matches that on the checkbox.

[ares]

@tbrisker I've modified texts. Sadly, it's not well documented in oVirt docs and it's always the same API just with different header. Anyway I think this should be clear enough now. I also added the value to v2 API. Please re-review.

[tbrisker]

Sorry to be nitpicking again on this, I think "Use the 'Filter' header for API calls, which makes them limited and slower, but available to non-admin users." would be clearer, with the label being Filter API calls.
Also the help text now breaks a line and looks bad, please reconsider using a popover.

[ohadlevy]

I wonder if we should consider this a plugin vs something we want to maintain in foreman itself, after talking to a view ovirt guys, they recommended we do not use the filtered api at all.

[iNecas]

No plugin please. This pretty much limits the usage of ovirt just to ones with admin rights. If something changes on ovirt side, we can reconsider, but right now, it's really solving real issue for us (and I expect others are in a situation they can't have admin account)

[ares]

@tbrisker no need to applologize, I'm glad we're moving somewhere. Fixed.

@ohadlevy I'm not sure I properly understand your suggestion, create ovirt plugin that adds this checkbox? On our side it does not add much to maintain. If it does not work on ovirt side, I hope they are willing to fix it.

[ohadlevy]

the problem is that it present a follow up problems, for example: - if you are a large env, and has a lot of hosts, the vm list might not work - associate vms will not work as well either (both listing the vms). this also limit us to support better leverage ovirt, for example, we want for associate vms to use search to find relevant mac addresses instead of in memory searching for all macs, since search is not exposed, we would not be able to use that. I wonder if the better way will be to ask for an admin account - note that in oVirt, admin does not have a full permissions (e.g. superuser) just labeled as admin I also don't like this, but I'm worried that a limitation on oVirt side will create confusion for our users.

[ohadlevy]

@ares I'm not aware they prioritize fixing this issue, maybe @oourfali can expand on it?

[ares]

@ohadlevy adding such features is great but I'm not sure whether big setup (probably lower % of users) should cut support for feature that would work only with smaller setups (higher number of users I guess)

I can imagine introducing some capabilities model that would tell us what a given CR is capable of, it could be handy also to manage versions of CR (with different feature sets)

[tbrisker]

This works and code & text are good to merge as far as I'm concerned once tests finish.
However, we need to make a decision whether we want to make this change at all.
I'm afraid I do not have enough experience with oVirt and I don't know enough about users' use cases to make that call, so I will leave that up to those of you who know more to make the decision.

[oourfali]

There are many gaps in the filtered api. It wasn't designed for the use foreman does with the API.
IMHO it shouldn't be pushed, as it might cause other issues. Even if things will work, they will be less performant.

[ares]

@oourfali is there a different way to use ovirt API without admin account that foreman (or anything else) could use for automating the provisioning? There was some interest https://bugzilla.redhat.com/show_bug.cgi?id=1123676

[iNecas]

@oourfali out next step is to add jsessionid support (we already have support on rbovirt side), from the performance reasons.

[oourfali]

The performance aspects are different. Not related to the session id.
The user api works differently, running queries rather than using the search mechanism. So, for different things might be less performant, especially when combined with search.

[iNecas]

Regardless the performance limitations, I still think not providing the user-level accounts an ability to use Foreman with this credentials is a serious limitation. We have even customer cases already demanding this. If the ovirt has performance limitations on this use-case, I would rather see improvements on the ovirt side to improve this, rather then avoiding using it at all. If the user-level API was officially deprecated and communicated, that this will not be supported anymore (and the question would be when, because if it's too far away, it still might be worth having it here until the day comes).

If there are use-cases that the filtered API is not good for, in ideal world the API would be explicit enough about that, when this use comes. On the other hand, I can't think of more basic use-case for a virtualization platform than provisioning a host. I can imagine limiting the other cases (such as listing VMs) not being available in case the calls are deprecated/show serious issues. But the basic end-to-end provisioning via API seems to be valid use-case that I would expect from ovirt to handle without need for admin-level account.

From my perspective, this is pretty small change, that unblocks non-admin users using it and can be reverted/disable anytime an Ovirt version is released that deprecates it.

What about a note about about the lower performance in the description?

[oourfali]

Foreman is in your hands... We support the user-level API completely, but some things work differently, and some functionality doesn't exist there, by design. we might not be able to handle performance/functionality issues.

You recently added paging support by using our search API, which isn't fully supported and won't be supported in the user-level API.
You are also supposed to change the VM MAC address search to be based on our search, rather than searching locally.

You can use that without paging and search and that will probably work (wasn't tested, though) , but as you rely more on the API in other use-cases in Foreman, you might run into using something that doesn't exist in the user level api, and you'll need to block stuff on your side, or suggest alternatives, if the user chose the filtered view.

In my opinion the requirement to be admin is reasonable. We require the same on the other side of the integration. Some API calls require you to be an admin.
Admin doesn't mean super user, btw, you just need to have one admin role assigned to one object, so in case you're managing things through Foreman - the ovirt admin should give you this minimum permission so you can work with it. Thus, I don't see this as a serious limitation.
How many customers asked for that?

Bottom line, as one of the owners of the oVirt API, my recommendation is not to support that, or support it but block functionality, and in that case we can't promise a blocked functionality will be added, and a performance issue at scale will be resolved.

[ares]

Closing, we'll document what admin roles/permissions are required instead.