Highlights
The CFEngine Enterprise version 2.2.0 release is here, and this release is bringing major customer requests.
The Mission Portal graphical user-interface has gotten the following new features.
- Dynamic host grouping
- Access control for reports
- REST API
Dynamic host grouping
The new edition of CFEngine Enterprise allows you to use any CFEngine classes to build arbitrary groups of hosts. Groups can be arbitrarily nested, yielding a tree-like structure. Below is an example of how a grouping by operating system classes may look.
As you can see from the sample grouping, selecting a group will display compliance and reports only for that group in the right pane. You can see that the context “Linux” is currently selected.
Adding sub-group can be done by simply clicking on the plus-sign next to the group name. As a second example, to see promises not kept on Ubuntu hosts, you simply select the Ubuntu group in the left pane, and select the Promise not kept report in the right pane, which yields the results shown below.
At the top of the left pane, you can see that our current grouping layout is called “OS”. You can create an arbitrary amount of grouping layouts, for example to group by service (web server, db server, etc.), location (NY, CA, London, etc.), operating system and so on. As the foundation of this system is based on CFEngine classes, it is extremely flexible, and you can use any class automatically defined or defined in the policy.
This system allows you to structure your hosts in ways that make sense in your environment. Perhaps you are interested in the compliance of the web servers, but want to see which Solaris servers have had changes in their passwords. Creating multiple grouping layouts makes questions like these easy to answer.
However, also note that you can override the host grouping when generating reports, to include and exclude arbitrary lists of classes. For example, if you want to see all promises not kept on Ubunut hosts, but you are not interested in the Ubuntu 10.4 hosts, you can create the following filter.
Access control for reports
As multiple people from different teams may be using the Mission Portal for generating reports about their environment, access control quickly becomes an issue. For example, the database administrators should perhaps only see reports coming from database servers. The Mission Portal already supports LDAP and Active Directory authentication, potentially allowing a large set of users to access it.
In this Enterprise release, the Mission Portal allows creation of roles with access to reporting data from subsets of machines and promise bundles. Again, the flexible CFEngine classes play a key role. Say you have a class called “db_server” defined on all your database servers in your policy. With the new Mission Portal, you can easily assign this class to a role “Database administrators”, and then assign your database administrator users to that role. The net effect of this is that the database administrators would only be able to see reports coming from the database servers. You can also limit the ability for users to browse parts of the policy, as defined by regular expressions on promise bundles.
As an example, we have the same environment as in the above illustration, but are logged in as a user that can only see the windows class through his group memberships. You can see that both the Linux and Solaris groups became empty, and so it is impossible to see their host counts, compliance and reports.
REST API
Customers have often asked us for ways to export the valuable data found in the Mission Portal to other systems. It is already possible to generate csv and pdf reports from the Mission Portal web interface, and also export data with a CFEngine commmand-line tool. However, to take it even further, we have introduced support for REST API from the Enterprise hub.
The CFEngine Enterprise hub knows the state of all systems, so there is no need to contact each and every of the CFEngine clients individually through REST. It can all be found at the hub, and it can generate summaries for you for the various types of reports to make it very efficient and concise. For example, you can use this interface to import promises not kept into a ticketing system like Redmine.
More details on the new REST API can be found in a seperate blog post.
Host operation diagnostics
Below the compliance graph, you can quickly see if the hub has any connection issues, or if CFEngine is not running correctly on any of the hosts.
Other improvements
The software reports are now updated by default every five minutes at the hub, as opposed to 6 hours in previous releases. The installed software also comes with timestamps for when they were discovered.
Better orchestration functionality is made possible with the new hostswithclass function. With it, you can for example dynamically generate configuration for monitoring software to monitor hosts with the web_server class set. As usual, many performance improvements and bug fixes have been included.
We are very proud of all the features included in this Enterprise release. Of course, all the new features and fixes introduced in the Community 3.3.3 release are available in the enterprise edition, including Unix service promises, and the new templating engine.
All this is made possible by our many users and customers requesting new features and presenting their use-cases. We are always listening to requests, so please keep them coming! Existing customers get this major upgrade, as well as all future ones, as part of the relationship with CFEngine.
