Tuesday, September 10, 2013

RHQ Group Definitions (dynagroup) Enhancement

The RHQ Project supports Group Definitions, also known as DynaGroups, to let users automatically generate resource groups given a powerful expression language.  For example, if I'm managing a bunch of JBoss AS7 Servers I may want to automatically group them so I can process them together.  Instead of creating and populating a  resource group manually, I could also just create a Group Definition like: 

resource.type.plugin = JBossAS7
resource.type.name = JBossAS7 Standalone Server

Moreover I could even have it automatically recalculate the group membership at some interval to my liking. Here is a link for a complete rundown on Group Definitions.  

This blog is to point out a nifty new feature for limiting generated group membership by providing one or more narrowing groups.  We've added the 'memberof' expression to the group definition language.

Let's say you're managing a bunch of machines and you've got them split up between two teams.  You've already imported your platforms into RHQ and created a couple of groups (either manually or with dynagroups) such that you have Platform Group A and Platform Group B, and your two teams are assigned views of these two groups appropriately (RHQ provides a robust Role Based Security Model). As a note, these are recursive groups, meaning they implicitly include all of the resources for that platform.

Now let's say a few team members are devoted to your AS server management and require heightened permissions for the servers they manage, say deployment permissions.  I create a new role with the desired permissions and assign the users. What I need is to easily create a group of the servers that they can see, and assign it to the role in order to tie together the users, the permissions and the server resources. I can do that by using the same Group Definition above, but with one more expression:

resource.type.plugin = JBossAS7
resource.type.name = JBossAS7 Standalone Server

memberof = Platform Group A

The groups generated are now guaranteed to be limited to only those servers that are in Platform Group A. Put another way, the results are narrowed by Platforms Group A. It is valid to supply multiple 'memberof' expressions in one group definition.  In this case the resulting dynagroups will be limited to resources in the union of narrowing groups. This feature can play a big role in role-based security in RHQ, but has other uses as well.  Use it any time it would be helpful to generate proper subsets of existing groups.


No comments: