URT Configuration System Requirements

Author	Van Van
Area	Configuration System
SubArea	Requirements
Program Management	Markus Horstmann
Development	Robert Craig
Test	Michael Fanning
Reviewers	Boyd Multerer; Robert Craig; Bill Devlin
Current Version	0.3 : 9/12/99 : added two (2) runtime requirements per StevenPr - VanVan
Version History	0.2 : 9/2/99 : added general requirements - VanVan 0.1 : 8/17/99 : file created - VanVan
Status	In Progress

Overview

As we move forward in planning for and designing the Configuration System for URT 1.0, it is critical that we understand who our customers are and what their individual requirements are. This document will serve as a repository for the individual requirements from each team and will be updated as requirements are gathered and consolidated. We will be discussing the issues with each requirement and prioritizing them as well. Please note that this document is specifically implementation independent. Implementation details will be covered in the design specification.

This document will eventually be merged with the final design specification when that becomes available.

Justification

Without a list of requirements in hand, it is difficult, if not impossible to build a system that will satisfy every groups needs. The goal of the URT Configuration Team is to provide a unified Configuration System for the entire URT. In order to do so, our first step is to collect and reflect on all the requirements as we understand them. If you find any information here to be inaccurate or incorrect, please feel free to contact Van Van.

General Requirements

• There is a need for generic (pre-defined) objects in the config system
• There is also a need for outputting strongly typed (custom) objects from the configuration system
• There is a need for generic (base) config factories that performs common merging logic (something that covers the 80% - 90% case)
• There is a need for a layer (layered approach) on top of the base config factories which enable third parties to hook in their custom merge logic

The following are more concrete requirements by the URT as a whole in no particular order:

• XML File based - Specifically for the HTTP Host
• The Stores return data in a consistent format regardless of storage container
• The system supports directives
• Directives are expressed in the form of XML
• The system supports hierachical containment and inheritence
• Configuration Consumers recieve objects
• System is Extensible in these fashions
  • Stores
  • Config Factories/Config Property based merging rules
  • Application Hosts
• Runs on all URT Platforms
  • Win2K (Server and Workstation)
  • NT4 (Server and Workstation)
  • Win9x (exact flavors to be determined)
  • Ultimately WinCE - Not for prerelease
• Supports all known application hosts
  • HTTP
  • EXE
  • IE Hosted Apps
  • VBS - not in pre-release
• Supports secure store of secrets
• Allows securing of configuration system
• Supports change notification of configuration files
• Object Caching in the configuration system

Individual Group Requirements

The following are (listed by the individual groups) the list of requirements as we understand them so far. You can go to specific areas of this document by using the Table Of Contents at the beginning of this document.

Application Server (Administration/UI)

The following list of Application Server requirements stem from an administration/management/UI standpoint.

• The configuration system must be able to be queried along several different axes and return sets of data/applications.
• The configuration system must be able to service requests for machine-wide data and must be designed to handle administration of heterogeneous clusters.
• There must be a single point of access to the configuration data that the Administration toolset can access. This point must also be able to query and return application data as well as system data.
• Administration must be doable when any particular application's process pool is offline or disabled.
• The administration tools must be able to build models of the structure of the system from metadata alone. This is the same reason reflection works the way it does in the runtime. Very meta.
• Changes to a set of properties returned from a query to the config system must be accepted by the config system and applied back out to the original data sources. If there is inheritance and directives roll-up, then this must be accounted for.
• Changes to a set of properties returned from a query or multiple queries must be written out in the scope of a transaction. It is totally bad if we don't do this and we don't have any excuses as it is old technology and it works.
• It must be understandable. The admin tools can probably deal with a limited amount of inheritance or roll-up, but anything more is going to be impossible to deal with. If this thing works but requires a master's degree to operate, we will not succeed.
• Locking Mechanism: In any distributed environment, the chance of two entities modifying configuration information is non-trivial. There must be mechanisms in place that prevents, or at least, makes it difficult to "overwrite" other users settings without knowing it. The actual locking mechanism, pessimistic vs. optimistic, can be discussed at a later time.

Duct Tape

• Text based (preferably XML)
• Support schema as defined by the Ducttape team (spec to be found at http://ericdew2k/specs/configstoredata.htm) such as APPPOOL, WEB SITE, and APPLICATION
• There shouldn't be any file size limitation on the config data. Performance may be a trade off
• No GUIDs or like in object definition. Human readability and editability is key

Runtime (aka Lightning)

The following is the list of requirements by the Runtime team in no specific order:

• Efficient, production implementation of APIs/infrastructure in URT 1.0 release timeframe. Pre-release quality in November, sufficient to allow the runtime to retain its beta quality goals.
  ISSUE: What are these performance/quality goals?
• Publish perf goals, measure against perf with each milestone.
• Production UI in URT 1.0 release, more than just XML/text file edit. Alpha-quality, but fully-functional UI, in November.
• Get in URT integration build starting immediately.
• Publish feature plan / schedule for each milestone, including being very clear what dependencies you have, e.g., xml parser, platforms, other services.
• Equivalent administration feature set on client and server with equal emphasis on both.
• Support for runtime administration schema including assembly and assembly locale, processor, OS, ref, ref locale, ref processor, ref OS; and file, comtype, manifest resource, and execution location.
  ISSUE: Are there any file caching requirements?
• Must support various change notification scenarios. In some cases, running code wants to be immediately notified when a config file changes. In other scenarios, the running code wants to take a snapshot of the config data at startup and be unaffected by changes. For the runtime in particular, these snapshots must be maintained per app domain.
  ISSUE: Are these the only two scenarios or are there more?
• Run on NT4, W2K, Win9x.
  ISSUE: What about alpha, terminal server, and WinCE? Dates?
• Must be consistent config model for:
  • Installed client executable
  • Code download through a browser
  • Web apps (XSP application)
• Support configuration retrieval from XML and Secure store
• Security requirements for the runtime
  • Machine security policy based on groups with associated permissions to be granted; groups include named publishers for signed code (e.g. "Microsoft Corp" for AuthentiCode signature), web site origin of code (e.g. "www.microsoft.com"), zone of origin of code (e.g. Internet, intranet, etc.), and strong name (e.g. cryptographically unspoofable namespace for code)
  • Permissions associated with groups will be sets of permissions defined by name, either pre-defined defaults we supply or XML description of permissions in a file that may be authored/modified by admin/users.
  • Need a flag to turn on/off security globally (probably a handful of flags for "debugging" purposes)
  • Configuration based on user and machine. For example, in a large enterprise all clients will have some kind of basic policy - e.g. don't run unmanaged code downloads from the outside, etc. - that apply to all users and should be replicated to all client machines; however, developers within the enterprise, say, may be allowed to run unmanaged code, yet perhaps "normal workers" would only be allowed to run managed code. That is - the security policy in effect on a client is different depending on who logs in (dev or worker); the machine policy is universal but depending on the user there may be further restrictions or possibly overrides (whatever merge logic is) applicable. In an enterprise, admin needs to be able to "lock down" machine settings against tampering by local user. Rely on OS user login.
  • Hierarchical restrictions for site hosting. An ISP has a box they host hundreds of independent sites - a.com b.com and c.com all run on one NT box unbeknownst to each other. For a b and c to admin their "very own" virtual machines they login separately and would want security policy that keeps their code from interacting. So the ISP "real machine admin" is top boss and hands out pieces of the system to a b and c; each site in turn has admin rights on their "virtual machine" within their various areas. Obviously, admin b can only config their own stuff and further can only give out security permissions within the constraints the ISP admin has set. For example, b.com may have all of C:\B folder but may want to further restrict file access to C:\B\TEMP for certain code, yet we can't allow b.com admin to hand out C:\C folder access (that's c.com's area of course).
    Model should be general but implementation may limit hierarchy to depth of just two levels to reduce complexity and testing effort (two levels supports the ISP hosting of sites nicely, or in an enterprise the machine admin - ITG here - versus site owners like various departments within the org).
  • The store itself must also be secure. All security/policy and probably just about all other config settings will need to be secure, esp. in the ISP hosting example above we don't want a.com being able to even see much less alter any of b.com's settings.
  • Provide for some sort of tamper-detection. The next level would be tamper-detection plus obscuring anyone but the admin from seeing config info; next level would be preventing any read or write access (we would like that higer level, but could live with the minimum for November I think) Protection will ultimately be as good as base OS security protection can support, which will vary by platform.
  • Only authorized admin can change config.
    ISSUE: How do we define who can be an admin? Do we need access roles for config/policy?
• The configuration store must be able to be backed-up and restored given the appropriate permissions.
  ISSUE: How do you backup a secure config?
• By the third week in August, the runtime needs the following:
  • Be ported to Win9x
  • Handle stores provided by the runtime (XML file based on the file name of the application)
  • Have a default validation/merge layer that can be used by the runtime
  • Provide API's for retrieving the merged configuration
    ISSUE: Are the interfaces managed, native, or both?
    ISSUE: What are the merge scenarios?
  • Minimal impact when there are no relevant stores
  • Support a download. This is basically the same as the shell. The IE host will be responsible for making the store available to the configuration system.
• Must support the storage and retreival of user defined objects. Both our security and context features support the capability for customers to build their own configurable objects. For example, I could define a custom permission that controls access to a dedicated hardware device.

XSP

These are the requirements of XSP in no particular order:

• Configuration directives are associated with nodes in a hierarchy. Nodes in the hierarchy represent machines, sites, applications, directories, files, set of directories matching a regex and sets of files matching a regex.
• The configuration for a child node is computed by merging the parent node's configuration and the child node's configuration directives. The directives can take any form. Examples include simple name-value pairs, imperative commands (add/remove script mapping) or scripts (url rewriting). The merge semantics are also open ended. Examples include union and intersection.
  ISSUE: Can you specify the child's config info at the parent?
• Store configuration directives in human readable text files. This allows the website developer to use the same set of tools for website content and configuration files. These tools include Notepad, XCOPY, FTP, source code control systems, diff and so on. Note that GUIDs and excessive use of IDREFs fall outside the realm of human readability.
• Optimize data access for multiple reads in the same application domain.
• Cache data in memory using types determined by the developer. This helps with performance and it helps to discourage the creation of custom configuration caches.
• The cost of reading and parsing one or more text files when loading configuration information for the first time in an application domain is acceptable. The cost is small compared to the cost of serving out a handful of dynamic pages.
• Use the same update semantics for content and configuration information. If content changes are picked up immediately after a file change, then configuration changes should be picked up immediately after a file change. Although transacted update of configuration is desirable, it only makes sense if all aspects of an application or web site are updated in the same transaction.
• Support the edit-save-test cycle that is so popular with ASP developers. In this mode of operation, the developer makes changes a file in an editor, saves the changes to disk and refreshes the browser to see the changes. Any errors are reported back to browser through the HTTP response.
• Handle ISP scenarios where the site administrator's only access to the machine is through FTP. The configuration does not require a "kick".
• Handle configuration files dribbling in through FTP over a slow link. Cooking the configuration information on every change as they occur might have undesirable performance characteristics.
• Allow application and component developers to define new types of configuration information and merge semantics.
• Do not require site-wide administrative control when extending the configuration system.
• Build XSP using the public extensibility mechanism to ensure that the extensibility model is complete and robust.
• Minimize the number of data access APIs the developer needs to learn to extend the configuration system. For one reason or another, developers will probably learn XML-DOM and XDO. All configuration data manipulation should be through one of these APIs or through object access.
• Minimize the number of data representations that the developer must understand to extend the configuration system. At a minimum, the developer must understand two representations of the data: the in memory representation and the configuration file representation. If any intermediate data representations are used, then they should be hidden from the user.
• Execute application or component supplied configuration extensions in the host application's application domain. This ensures that the configuration extension is loaded from the correct location and that the extension runs in the correct security context.
• Fire change notification events. This allows XSP, components and applications to remove dependent information from caches.
• Use XSP's file change notification system. We don't need more than one file change notification system running in the process.
  ISSUE: Need more investigation in the XSP file change notification system.