... | ... | @@ -46,6 +46,8 @@ The following areas of interest are currently blocked for various technical and |
|
|
|
|
|
As of March 2021, Stork has only two user roles: super-admin (can do everything) and admin (can do everything, except managing other users). We need more fine grained access control. The most basic addition would be a read-only user. This would be used by a junior admin, who can only observe the system, but is not permitted to make any changes. In the future, the role system will become more sophisticated, so the solution must be extensible. In particular, the following use cases will need to be possible: a role to manage a single server, a role to manage certain subnet (including situations where it is handled by a pair of HA servers). This is currently blocked, because the Stork team needs to write down requirements and our early attempt indicates it's more complex than it looks at the first glance.
|
|
|
|
|
|
Related requirement: https://gitlab.isc.org/isc-projects/stork/-/issues/157
|
|
|
|
|
|
## Showing pool status
|
|
|
|
|
|
As of March 2021, we have the ability to show statistics for networks and subnets. We can say that 30 of 250 addresses are used. The statistics are good first approximation, but they have several flaws. First, there were bugs in statistics that caused them to not truly reflect the pool state, in particular in cases where several Kea instances are sharing the same DB. Second, getting an overview of the pool utilization is often not enough and admins want to have more detailed insight. The major difficulty here is to come up with an efficient way to keep this information roughly up to date. The current mechanisms available in Kea (e.g. lease4-get-all) are insufficient and wouldn't scale for deployments that count devices in millions. There's a plan to implement [incremental lease updates](https://gitlab.isc.org/isc-projects/kea/-/issues/1230), so Stork would retrieve all leases just once (that's acceptable) and then only get the lease updates periodically. This is currently blocked until such a mechanism is implemented in Kea. |