Understanding Workflows

A workflow is embodied in a valid ECMAScript file that contains a single global variable: workflow. The workflow object must contain at least three members:

Table 9-1 Required workflow Object Members

Required Member Type Description

name

String

Name of the workflow

description

String

Description of the workflow

execute

Function

Function that executes the workflow

Workflow authorizations

Workflows are managed using workflow authorizations. The authorizations include the workflow owner and workflow UUID in the authorization name.

  • workflow.<owner>.<uuid>.read is required to see and run a workflow. To grant an administrator the ability to see and run any workflow, grant workflow.*.*.read.

    There is no concept of being able to see (read) a workflow but not execute it (or vice versa).

  • workflow.<owner>.<uuid>.modify is required to make changes to a workflow, including changes to the setid property.

  • workflow.<target_owner>.<uuid>.changeOwner is required to change the owner property of a workflow to <target_owner>.

    When changing the workflow owner, the user must meet one of the following requirements:

    • The user is the current owner of the workflow and has workflow.<target_owner>.*.changeOwner.

    • The user has both workflow.<current_owner>.*.modify and workflow.<target_owner>.*.changeOwner.

Note: Granting workflow read, modify, and changeOwner authorizations to the same administrator effectively provides full root access to the system, because the administrator can upload a workflow and make it run as root. Grant changeOwner only to a very limited set of trusted administrators.

Example 9-1 Hello World Workflow

This example shows a simple workflow.

var workflow = {
       name: 'Hello world',
       description: 'Bids a greeting to the world',
       execute: function () { return ('hello world!') }
};

Uploading this workflow results in a new workflow named "Hello world". Executing this workflow results in the output "hello world!"

Example 9-2 Using the Workflow Run Function to Return CPU Utilization

Workflows execute asynchronously in the appliance shell, running (by default) as the user that is executing the workflow. If the workflow has setid: true, the workflow runs as the owner of the workflow instead of the user who started it. As such, workflows have at their disposal the appliance scripting facility (see Working with CLI Scripting), and can interact with the appliance in the same way as any other instance of the appliance shell. For example, workflows can execute commands, parse output, and modify state. This more complex example uses the run function to return the current CPU utilization. 

var workflow = {
       name: 'CPU utilization',
       description: 'Displays the current CPU utilization',
       execute: function () {
               run('analytics datasets select name=cpu.utilization');
               cpu = run('csv 1').split('\n')[1].split(',');
               return ('At ' + cpu[0] + ', utilization is ' + cpu[1] + '%');
       }
};