Skip to content

Proposal for multi-org resource model #2791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ammario opened this issue Jul 1, 2022 · 8 comments
Closed

Proposal for multi-org resource model #2791

ammario opened this issue Jul 1, 2022 · 8 comments

Comments

@ammario
Copy link
Member

ammario commented Jul 1, 2022
edited
Loading

Some of this is future-facing since we haven't implemented the multi-org model yet. I will refer to both "organizations" and "teams" as "groups" in this issue.

We have 4 resource types:

  • Groups
  • Users
  • Workspaces
  • Templates

When we add multiple groups, we have to decide how resources are associated with them.

Some obvious rules:

  • Groups contain at least one user, but each user can be in multiple groups
  • Groups can contain other groups, but a group cannot have multiple parent groups
  • The root group contains all other groups and every user. A user cannot be removed from this group.

The trickier thing is workspace and template association. In v1, groups owned workspaces. In retrospect, this was a flawed decision. The infrastructure owner is the de facto workspace owner because they have the credentials to manipulate it. This is beyond our control. They must have those credentials to create a template. If we also give the group manager control of the workspace, we have two owners now, which is unexpected and confusing.

I propose we leave template admins as the sole owner of the templates' workspaces. Let's keep templates as a top-level resource but allow template admins to control access by choosing which groups and users can use their template.

For naming: "Organization" implies a group with many configuration knobs and its own resource namespace. The group is just a collection of groups and users in my proposed model. There is little configuration and namespacing. "Team" or "Group" could be good names, but there may be more I'm not considering.

Forward compatibility

In the future, we may decide to associate workspaces/templates with a group. The proposed model should leave those doors open. We can always let groups own more resources, but we can't walk back from that.
@ammario ammario added the feature label Jul 1, 2022
@ammario ammario changed the title Rename "organization" to "team" Proposal for multi-org resource model Jul 2, 2022
@ketang
Copy link
Contributor

ketang commented Jul 4, 2022

Groups contain at least one user

This will be annoying. For one thing, how do you create a group?

The root group contains all other groups and ever user.

I wonder if this is necessary. Why not have multiple root groups possible?

The infrastructure owner is the de facto owner of the workspace because they have the credentials to manipulate said workspace.

I don't understand how this conclusion is justified. Admins in any system can manipulate the objects associated with a nominal owner. Workspaces shouldn't be any different. As well, I'm puzzled the idea that I as an admin could "own" a workspace that was created without my knowledge and used exclusively by someone else.

"Organization" implies a group that has a lot of configuration knobs and its own resource namespace.

Sounds like a root node to me.

There is little configuration and namespacing

Why preclude this now? I understand not wanting to build it now, but saying we'll never want to seems unnecessarily limitiing.

the term "Team" is the best way to describe this kind of lightweight group.

Not... "group?"

@ammario
Copy link
Member Author

ammario commented Jul 6, 2022

I wonder if this is necessary. Why not have multiple root groups possible?

I'm using the root group to mean the "All Users" group. I'm assuming that organizations are one-level descendants of this root group.

I don't understand how this conclusion is justified. Admins in any system can manipulate the objects associated with a nominal owner. Workspaces shouldn't be any different. As well, I'm puzzled the idea that I as an admin could "own" a workspace that was created without my knowledge and used exclusively by someone else.

They have ownership because they need credentials to set up the template that creates the workspaces. If credentials are in the provisioner environment instead of the template, they can still expose the credentials via local exec, so we should just assume they have full control of the provisioner environment.

Why preclude this now? I understand not wanting to build it now, but saying we'll never want to seems unnecessarily limitiing.

I do think we will want to increase the power of groups eventually.

Not... "group?"

Lol, "group" is also good.

@ketang
Copy link
Contributor

ketang commented Jul 6, 2022

I'm assuming that organizations are one-level descendants of this root group.

Is that a necessary assumption?

we should just assume they have full control of the provisioner environment.

Sure, but that doesn't mean they're owners. All my files on my machine are accessible to root, but the owner is not root. Ownership isn't about access. It's about responsibility and authority. The former would defeat the purpose of having an owner concept in pretty much any system with a superuser.

@ammario
Copy link
Member Author

ammario commented Jul 6, 2022

Is that a necessary assumption?

That organizations cannot be nested within another or that there is one root group?

Sure, but that doesn't mean they're owners. All my files on my machine are accessible to root, but the owner is not root. Ownership isn't about access. It's about responsibility and authority. The former would defeat the purpose of having an owner concept in pretty much any system with a superuser.

I think it would be easier to discuss this if we talk about specifics. Here are some things I'm trying to avoid for the sake of the user:

  • Having to associate a workspace with an organization during the create flow. This is an additional step, and the workspace is already administratively "bound" to the template, so now there's a double binding that seems excessive for our first shot at the ownership model.
  • Giving cost levers to group admins instead of template admins. This is a similar anti-pattern to giving the user cost levers. Since template admins owns the infrastructure, they have the direct incentive to keep down costs and also understand the capabilities of their infrastructure. Groups can also have access to multiple templates, each of which has different resource models that may not map well in the group settings.
    • In v1 we had all of these org levers that would've made more sense in the provider level. Screen Shot 2022-07-06 at 1 51 07 PM

@ketang
Copy link
Contributor

ketang commented Jul 6, 2022

That organizations cannot be nested within another or that there is one root group?

I was referring to the latter, but I guess I'm not sure the former is necessary either.

Having to associate a workspace with an organization during the create flow. This is an additional step, and the workspace is already administratively "bound" to the template, so now there's a double binding that seems excessive for our first shot at the ownership model.

Why do we have to associate a workspace with an organization instead of the user creating it? That seems both unnecessary and unnecessarily rigid.

Giving cost levers to group admins instead of template admins

This seems pretty doable without having to do a non-standard ownership model. A group admin could set policies and quotas for the users and groups in that group, and they could also carve out an exception for anyone in their group using template X.

For instance, I'm admin for group Alpha, and I want to set policies like:

  • All users in group Alpha can have two workspaces running at a time
  • Members of group Beta, nested in Alpha, can have three workspaces running at a time
  • Members of group Gamma, also nested in Alpha, can have only one workspace running at a time
  • Members of group Gamma can run a workspace built on template X without it counting against their maximum

@ammario
Copy link
Member Author

ammario commented Jul 8, 2022

This seems pretty doable without having to do a non-standard ownership model.

I meant that template admins should have the lion's share of cost control abilities. E.g, we have max-ttl as template configuration at the moment. Group admins may also be template admins and control costs through their template admin role.

Why do we have to associate a workspace with an organization instead of the user creating it? That seems both unnecessary and unnecessarily rigid.

This is my point, that we should begin with workspaces associated to templates and not organizations so no additional step is required. This flows into the whole concept of template admins controlling costs and groups being lighter weight structures.

@ketang
Copy link
Contributor

ketang commented Jul 8, 2022

I don't believe that template admins will always (or even usually?) be the ones controlling the resource usage of an organization. We certainly shouldn't bake that assumption in.

This sounds like something we need customer input to resolve.

@ammario ammario mentioned this issue Aug 18, 2022
Closed
@kylecarbs
Copy link
Member

@ammario will be handling this in a future issue!

@kylecarbs kylecarbs closed this as not planned Won't fix, can't repro, duplicate, stale Aug 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ketang @kylecarbs @ammario