Should the callback plugin be talking directly to the database?

[larsks]

Should the callback plugin be connecting directly to the database? That means that any machine that runs Ansible needs to have direct read/write access to the database server. I can see this making a lot of people uncomfortable.

Should ARA have a REST API that can be used by the callback plugin in lieu of direct database access?

[dmsimard]

Deleted my two previous unrelevant comments. This is a summary of what I think:

• Yes, it could be a problem in some contexts that the callback, the CLI (or even the web interface? Although there are no deletion features in it, there could be) has write access to the database
• I am for a HTTP REST API but against it being required to use the callback. It wouldn't make sense to require the REST API to run (even from the development web server) to be able to run Ansible.

Let's take for example nova, there's:

• nova (server, database, methods and api endpoint components)
• python-novaclient (client library that talks to a nova api server)
• python-openstackclient (CLI interface that wraps around novaclient)
• horizon (web interface that wraps around novaclient)

Does a segmentation like that make sense for ARA ? I think so. Right now we have everything talking to the database. We could probably have an internal API and then have everything use that internal API instead. The (eventual) HTTP REST API could just almost passthrough to the internal API. There could be a toggle between internal and external api if people want to use REST instead, but then it brings the whole concept of authentication and stuff I didn't want to have to worry about.

I know there's a lot of work hidden behind something like that but it's probably something we'll need to do one day or another ...

[larsks]

The problem with the nova analogy, of course, is that all of those tools - novaclient, opentackclient, horizon, etc. -- expect the Nova API server to be running, and communicate only via the REST API rather than talking to the database directly...which sounds like the situation you are arguing against.

I think we're going to need to go that way eventually, even for the callback.

[Malet]

Agree with @larsks on this one, would definitely be cleaner to talk to the API, also allows us to use basicAuth/TLS/HMAC for authentication with little extra effort.

[dmsimard]

@Malet a proper API and segmentation of the different components (client/api/server) is still in the roadmap but it will be quite a significant amount of work. It's probably one of the next large feature set we'll be working on as ARA has reached a certain level of maturity at this point.