Cloudify 4.4 has dropped! Significant security and usability enhancements (and new modular policy management feature preview)

Cloudify 4.4 is here and we’ve got some major security and UX improvements for you! We also have some cool updates regarding our roadmap towards a more modular architecture and configurable closed-loop orchestration. Some of our new features include a new Dry Run capability as well as an Account Lockout mechanism and many more enhancements to secure Cloudify within your organization.
Let’s have a look at the new features.

Why do 70% of Digital Transformation projects fail? Watch the webinar!   Register Now

Dry run

It’s always important to have a preview of what might happen in a given situation. Our new Dry Run feature gives you the insight into what events will occur, and in what order, before executing a workflow.
This is an extremely useful way for users to be fully aware of the future state of their deployments and is especially helpful before running complicated workflows to ensure no steps are missed or completed incorrectly.
An example of using dry run is cfy executions start install -d dep –dry-run. This option is currently not available using Cloudify Console (UI).

Dry Run in action

Deployment update

In addition to adding and removing nodes, the ability to update a running deployment now includes the following functionality:

• Changing properties and interfaces of existing nodes
• Updating plugin(s) the blueprint is using
• Updating inputs the deployment is using
• UI indications for the update process and the changed data

The Cloudify Console provides indications that a deployment has been updated

There is also a detailed description of the parameters changed in the update

Hidden-value secrets

Cloudify’s secret store allows keeping private data in the manager’s DB itself, and not in the blueprint’s content, so you can reuse it in multiple blueprints while managing it in one secure location.
In Cloudify 4.4 we added the ability to define a secret’s value as “hidden”, meaning its value will only be exposed to its creator and that tenant’s admins. Other users can still use that secret by referencing the “get_secret” intrinsic function in their blueprint.
With this new ability you can make sure your users’ exposure to the environment’s credentials and other secret information is managed in an even more fine-grained manner than ever before.

Secret from an Admin or Creator view

Secret from an unauthorized user’s view

Account lockout

On the security front, we have the new lockout mechanism that enables admins to define a configurable number of failed login attempts after which an account will be locked. The lockout length is also configurable, so you can decide how much time you want to freeze out your users. This capability makes Cloudify more secure and stable than ever before by preventing false logins from putting a strain on your manager.

Pluggable authentication and Kerberos

User authentication in Cloudify can currently be performed in the following ways:

1. Create and manage users from directly within Cloudify Manager and have the users authenticated upon login in with a username and password.
2. Integrate with an LDAP-based user-management system or Okta system, so users are managed externally and are being authenticated against this external system.

In 4.4, we have added support for custom authentication systems. This means the authentication mechanism is implemented as an external module to the manager’s core, which also enables you to write and configure user authentication according to your specific needs. You will also have the ability to update settings post installation. See the documentation on external authentication for more information.
Cloudify 4.4 also includes support for the Kerberos framework, which, alongside the external authentication mechanism can be leveraged to support Kerberos authentication.

Feature preview – Modular Policy Management

One of Cloudify’s advanced capabilities is closed-loop orchestration – enabling automated operations such as healing and scaling based on monitored data and pre-defined threshold.
With Cloudify 4.4, we’ve taken the first step in our journey towards a modular architecture by enabling external, configurable, and optional monitoring & policy engines, integrating with the manager’s core via plugins.
Alongside support for the existing solution of Diamond monitoring and the Riemann policy engine, we are excited to present a feature preview with the Nagios monitoring and policy solution. Stay tuned for the detailed description and demo of this solution which will be available in the next few weeks.
Also, if automating Day-2 operations is not on your to-do list, why burden your manager installation with irrelevant services? In Cloudify 4.4, the default installation does not include Diamond and Riemann, allowing you to work with a leaner, lighter manager. However, you still have an option to install them using an optional flag.

Ecosystem

Cloudify 4.4 introduces support for Azure stack (more about Azure here), Microsoft’s private cloud, alongside a PoC of integration with Terraform and an Execution plugin.
Many improvements to existing plugins are introduced as well, including:

• Support any CNI network provider with the Kubernetes provider
• Support Multiple NICs, NIC/VM attributes changes in workflow and install, Improved resource status check and delete cleanup and wait in the AWS Plugin
• Improved Day-2 performance in Azure and OpenStack Plugins
• Support Backup/Restore workflows in OpenStack Plugin
• Utility plugin improvements for the deployment proxy, REST plugin and Terminal Plugin
• Support Unknown VM type, support using existing resources, backup/restore and suspend/resume workflows in the vSphere plugin.

User experience enhancements

As always, we put in a significant amount of effort in making the Cloudify experience better and easier. Aside from a generally smoother feel, here are some of the highlights 4.4 delivers in the UX department:

• Cloudify tours: Cloudify Console (the UI) now has a step-by-step feature guiding new users through a flow of actions to take in order to get their applications up and running, as well as performing management tasks such as defining users and tenants. Amongst the suggested tours are Cloudify Console Overview, Initial Manager Setup, From Blueprint to Execution and more.

Cloudify Console offers a step-by-step guiding tours for new users

• Widget “ReadMe”s: These provide detailed descriptions of the functionalities and information each widget exposes, so you can more quickly understand what it is you’re seeing (just click on the little ? on top right corner of the widget).

• A new “Help” menu: This menu provides links to the documentation, knowledge base, and tutorials for demos and articles on common features of the product.

• Initial template improvements: We’ve improved the way pages and widgets look in Cloudify Console for a more intuitive user experience. Pages now contain much clearer and fewer scary red messages. The updated catalog now contains both supported plugins and ready-to-deploy blueprints, and new, helpful widgets. We encourage you to check them out!

• Assigning a user to tenants upon creation: You can now perform both tasks in one operation.
• Text search for resources: User can now simply search for an resource within the manager, significantly reducing the time it takes to find that blueprint you were looking for.
• “Copy-to-clipboard”: This small addition will make your life much easier – as you can now copy components attributes easily and intuitively.
• UI performance improvements: Cloudify 4.4 promises significantly improved UI performance with reduced application load time and optimization for source code and polling intervals.

In the next few blog posts, we will be deep diving into some of the features we discussed here, so look out for those coming soon. As always, let us know what you think and join our Slack user group.