Online Release for October 2013 - Archived

We’re proud to announce another update to OpenShift Online. One of the most requested features is now available–group membership and user management. Before today people working in teams (and there’s lots of them) could only grant access using ssh public keys. It wasn’t ideal, but people made it work. Now the owner of an account can add and remove users from groups, grant group access to applications, and set levels of access. In order to take advantage of this new feature make sure you have the most recent client tools installed:

gem update rhc

Grant Access to Your Domain for Teams and Collaboration

Users can now grant other people access to their domain as a viewer, editor, or administrator. They then have access to the applications in that domain with the appropriate permissions. Here’s how the permissions break down:

  • Viewer : A viewer can see all the applications in a domain and can see everything EXCEPT environment variables in the application.
  • Editor: An editor on a domain can add/remove applications, cartridges, and change settings on the app. This includes viewing/editing environment variables and access to the applications git repo, ssh, etc. An editor can also do everything a viewer can do.
  • Administrator: An administrator can do everything an editor can do, as well as change the name and members of a domain.

Adding a member

Adding a member to a domain is simple – from the console, click the domain name (they’re now links) and in the right column click “Add a member…”. In the form, enter the other person’s login and select a role (by default, it’s editor). Your login is always shown in the upper right of the console. The new member will be added to the domain and to any applications – if you add an editor or administrator, it may take a few seconds for them to have their SSH access activated on an app.

Users who prefer the command line tools can simple use them by running:

rhc add-member -n $DOMAIN_NAME -r edit

The members of a domain or application can be seen with:

rhc members -n $DOMAIN_NAME

or through:

rhc domain show

Removing members uses remove-member:

rhc remove-member -n $DOMAIN_NAME

Users who wish to leave a domain they’ve been invited to can use “leave-domain”:

rhc leave-domain $DOMAIN_NAME

Note: when referencing a user, please use their username (which is sometimes the same as their email address, sometimes not).

Additionally we’ve allowed domain administrators to limit the size of their gears on a specific domain. This is handy, for example, when an administrator wants to ensure the domain is only used for development purposes (and thus only provides smaller gears). Via the UI, on the domain page, the right column will show a list of available gear sizes and whether they are allowed in the domain. Deselect the requested gear sizes and click “Save”

Shared secret token

We’ve also added an environment variable called OPENSHIFT_SECRET_TOKEN. This randomly generated token is now synced across all gears in an application and allows users to key off of it like a shared key. There are several use cases with this including cookie encryption and we use it for Jboss clustering.

A concrete example of OPENSHIFT_SECRET_TOKEN is in forming jbossas and jbossews clusters. By using this random string, it means each cluster now has a random token at cartridge creation rather than having security conscience application developers override the cartridge default.

<protocol type="AUTH">
     <property name="auth_class">org.jgroups.auth.MD5Token</property>
     <property name="token_hash">SHA</property>
     <property name="auth_value">${env.OPENSHIFT_SECRET_TOKEN}</property>

This value could be used the the seed in Rails applications for their secret_token. Hope that helps.

Websocket Restoration

Web socket application restoration now works! If you’re not familiar with our platform, when an application hasn’t been used or had code deployed to it for a while, we idle it. This means we turn it off so it’s not wasting memory and CPU cycles. When new code is deployed or someone requests a webpage, we automatically turn the app back on–this may explain why your app takes a little longer to run when it hasn’t been accessed in a while. Until recently the restoration part didn’t work web socket applications.

Gear Cost Visibility

As more and more people sign up for our Silver Plan, more and more users have requested more visibility into gear usage. In the past it has been non-obvious when a new gear would be added vs just some additional free feature. We’ve re-vamped our web UI to make these additions more obvious. As you’re navigating our console, actions that may increase your gear count (and thus your bill) are now much more obvious than before.

Give Us Feedback

As always we’re interested in what you think of our new features and OpenShift in general. Drop us a line –

What’s Next?

News, OpenShift Online
Comments are closed.