I am very excited to share that first use of webSpoon is in production! During my visit to PCM17 ( Pentaho Community Meeting 2017: Summary, presentations, pictures), I’ve received great feedback on my work with webSpoon and expectation for its future. Above all, a story from Rafael Valenzuela (@sowe) was the most exciting for me and should be valuable to anyone interested in webSpoon. For those who are not familiar, webSpoon is a web-based alternative to Spoon with the same look and feel. It is an open source project that is not supported by Pentaho, Hitachi Vantara or Hitachi. For more information, visit https://www.slideshare.net/HiromuHota/updates-on-webspoon-and-other-innovations-from-hitachi-rd.
Fig1: Rafael (right) and me (left) in the PCM17 group picture (Copyright: it-novum)
It has been great to see how webSpoon has matured in its stability, functionality, and usability over the last year, however, the software still has some limitations (they are not Spoon’s limitations). The most important limitation is security (especially for production use): user authorization has not been properly implemented. In a nutshell, end-users inherit the privileges of the user who runs webSpoon (more precisely the Tomcat). For example, if root runs the Tomcat, any end-user has the root privileges and can execute disastrous operations. Another example is incomplete isolation among end-users: Alice can see Bob’s configuration files and she can read/write Bob’s Kettle files (if they are stored locally).
One work-around for the above security issue is to dedicate a different webSpoon instance to each user. On the flip side, however, this means more machine resource and more (instance) management are required. Rafael and his team have found a painless solution and have been providing Spoon-as-a-Service to about 150 internal users at their company (Tuenti: Spain-based tech company).
Fig2: solution architecture
Their solution, illustrated above, is roughly consists of:
- A portal, similar to https://github.com/gravitational/teleport, for user authentication and a reverse proxy between a client browser and his/her dedicated webSpoon instance;
- webSpoon instances on a Kubernetes cluster;
- Git repositories for versioning and file transfer from development environment (webSpoon) to production environment (Pentaho Server);
- Pentaho Server to execute developed Kettle files.
With this solution, any user goes to the same portal. Once authenticated, he/she can use his/her dedicated webSpoon instance. It is painless for end-users because they only have to know a single url for the portal that never change, and also for admins because webSpoon instances are automatically deployed upon user’s request through the portal.
An end-user clones a Git repository into his/her webSpoon, does some development, makes commits, then pushes back to the remote repository. This Git repository manages not only Kettle files, but also user config files such as kettle.properties and jdbc.properties. Rafael has developed a tool called “Hell Kitchen” (https://github.com/sowe/hell_kichen), which schedules to execute a Kettle file with a specified PDI version and environment. The final piece of their solution is to use “Hell Kitchen” to deploy Kettle files with user config files to a Pentaho Server.
As far as I know, this is the first use of webSpoon in production. I know some other organizations are now trying to use it, so I hope this blog encourages and helps them develop their environment more quickly and confidently. Lastly please tell me your story if you’ve already used webSpoon or let me help you do that.
- Opinions are my own and not the views of my employer.
- Pentaho is a registered trademark of Hitachi Vantara Corporation.
- Kubernetes and the Kubernetes logo are registered trademarks of The Linux Foundation in the United States and/or other countries.
- Git and the Git logo are either registered trademarks or trademarks of Software Freedom Conservancy, Inc., corporate home of the Git Project, in the United States and/or other countries.
- Git Logo by Jason Long is licensed under the Creative Commons Attribution 3.0 Unported License.