[rudder-users] question on policy change tracking

Francois Armand francois at rudder.io
Mon Nov 18 09:34:05 CET 2019 

(aaaannnd I forgot to hit "send" on that email)
(aaaaannnd somehow the ml was removed, sorry Tim for the double sending)

On 15/11/2019 20:54, tim taler wrote:
>
>
>     Yes, we wanted to avoid (by default) to have everything in
>     shared-files in git. We used to do that, but early feedbacks
>     showed that users were very surprised to have binaries and etc
>     going to git, which resulted in bloated git repos and performance
>     degradation.
>
>
> true ... I indeed had those few binaries I had to handle in a 
> separate non-git directory on the cfengine server ...
>
>>     So ... while you on it,
>>     IMO it would be nice it:
>>     a) file changes there, would also be in some way visible in the
>>     GUI (like "notice, somebody copied new files to folder xyz, you
>>     like to confirm?")
>
>     Nice idea, but actually with your second idea, it becomes (almost)
>     unecessary (ok, it is something different, but one could arg that
>     if a gui+rest api is available for upload then we can assume than
>     direct changes in the fs with root access to the server as "admin
>     special action").
>
>
> agreed ;-)
>
>>     b) so far I'm very used to the commandline, but with rudder I see
>>     the benefit of some restiction through a common interface, so you
>>     might want to consider to have a graphical upload of those files
>>     to the shared_folder on the rudder server, that would ease the
>>     change management for that folder, right?
>
>     Excellent idea :)
>
>     And we are working on it for 6.0, with: each technique get a
>     private "resource" directory which is versionned with it and files
>     are automatically transfered with the technique code (typical use
>     case: templates, config files, etc).
>
>     And now that you say it, adding a shared file ui would be simple.
>     We didn't do it for now because of rights ("authz == it's
>     complicated"). But we could have it only for admin. Let me think
>     about it.
>
>
> I haven't looked into the "role" system of rudder yet, but my first 
> idea would be:
> - either a role allows manipulation of a rule/directive/technique (any 
> setting that affects the manged systems) than it can also upload files 
> (the file properties on the rudder-server/shared_folder are 
> irrelevant. what matters are the properties when they are deployed, 
> and that will be controlled through a file property promise)
> - or the role doesn't allow any of those manipulations, than there is 
> also no need to access the upload functionality

Good point. It's a share folder after all.

> But you might have more complex situations (managing a subset of nodes 
> or directives/rules/techniques)

We are working on restricting node/rules by authz. It's not done for now 
("authz == it's complicated" - yeah, my previous life in identity & 
authz management let sequels :)

> Anyway IF there would be an upload possibility through the GUI it may 
> require to distinguish between binary/non-binary content (and 
> according two directories in the shared_folder) to avoid the git bloat?
>
>     For 7.0, we are going much more deeply in what is a configuration
>     (rules/directives/etc), and what is environment/context
>     (nodes/etc), and what is "out of control of Rudder" (node local
>     env variable, etc). We will have different verionning for each,
>     with a full graphe dependency (and possibility to use previous
>     version of subgraphe, for ex "that rule, but with the previous
>     version of that directive (and its technique/resources) because
>     I'm in the middle of a migration).
>>
>>     ... just some ideas
>
> and while I'm on it ;)
>
> Under directive "System settings/System management" along with the 
> management of cron jobs etc. there could be a ready made technique for 
> sysctl settings, or?

We try to do it but AFAIK the semantic was not clear at all (relative to 
peristance etc). I think Felix or Nicolas could have more information.
Acutally, I think we reach the state where we have either an opinaited 
solution that was not very generic, or a generic solution that was 
harder than just editing files in /etc/sysctl.d. But if you have a 
need/use case, we would love to hear about it. In that case, would you 
mind start a new email thread with a meaningfull title so that other 
people can see/contribute to it?

>
> looking forward to the upcoming versions :+1:
>

We too :)


<http://www.rudder.io/> 	*François ARMAND*
CTO
*T:* +33 183 62 99 23 *M:* +33 663 37 60 55


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.rudder-project.org/pipermail/rudder-users/attachments/20191118/d41e0db0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: loedkjhdglbkcefn.png
Type: image/png
Size: 5490 bytes
Desc: not available
URL: <http://www.rudder-project.org/pipermail/rudder-users/attachments/20191118/d41e0db0/attachment.png>

More information about the rudder-users mailing list