bosh-director 1.3202.0 → 1.3213.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c0a7cb66eb81b7bc267bfbe73d9c21b7493842a
-  data.tar.gz: cb26be183757635f946fc7db7b440e5d5cd745fa
+  metadata.gz: 80b916377f341047163e53997092a6df6ae2129e
+  data.tar.gz: ac33c1cd3698034c745895a8f60fd09dfd759e1a
 SHA512:
-  metadata.gz: c007a923353b2face4ab79b4e11a5aee2a5ef8838433cd4bb4bdb3339336f4b8d54727fb2cf9f8761d9f0cae51b644ca42a8ba6e15b19c23a3a6fe2405f0f00c
-  data.tar.gz: f4e508a6c6920cd4da88f4c614d07b09f690962ef900485bfda426f6e09159765595e0549530e96192b3dd9f7dc9722f84f156eb173ae7ecc3dafcb6184c877a
+  metadata.gz: 36df0a755fa74b497cde0c4e87c5c88f64b43cc63d384edd29e63675a5029bb95824f881c5910c6eb823fe723e1c28a1245faccaa4ce26be30fd306bc56c94e4
+  data.tar.gz: 1b1f672cb69232dad861cb533f8da0d1ff03664dd771a24dc245b65246ee3b8275938ece8172006c21f35f06f1d8237579ba3bfab87aeb8a11df35b8f61b1262

data/db/migrations/director/20151223172000_rename_requires_json.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table :templates do
+      rename_column :requires_json, :consumes_json
+    end
+  end
+end

data/db/migrations/director/20160106162749_runtime_configs.rb

@@ -0,0 +1,19 @@
+Sequel.migration do
+  change do
+    adapter_scheme =  self.adapter_scheme
+
+    create_table :runtime_configs do
+      primary_key :id
+
+      if [:mysql2, :mysql].include?(adapter_scheme)
+        longtext :properties
+      else
+        text :properties
+      end
+
+      Time :created_at, null: false
+
+      index :created_at
+    end
+  end
+end

data/db/migrations/director/20160106163433_add_runtime_configs_to_deployments.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table(:deployments) do
+      add_foreign_key :runtime_config_id, :runtime_configs
+    end
+  end
+end

data/db/migrations/director/20160202162216_add_post_start_completed_to_instance.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table(:instances) do
+      add_column :post_start_completed, TrueClass, default: true
+    end
+  end
+end

data/db/migrations/director/20160210201838_denormalize_compiled_package_stemcell_id_to_stemcell_name_and_version.rb

@@ -0,0 +1,57 @@
+Sequel.migration do
+  change do
+    alter_table(:compiled_packages) do
+      add_column :stemcell_os, String
+      add_column :stemcell_version, String
+    end
+
+    self[:compiled_packages].each do |compiled_package|
+      next unless compiled_package[:stemcell_id]
+
+      stemcell = self[:stemcells].filter(id: compiled_package[:stemcell_id]).first
+      stemcell_os = stemcell[:operating_system].to_s.empty? ? stemcell[:name] : stemcell[:operating_system]
+
+      self[:compiled_packages].filter(id: compiled_package[:id]).update(
+        stemcell_os: stemcell_os,
+        stemcell_version: stemcell[:version]
+      )
+    end
+
+    if [:mysql2, :mysql, :postgres].include?(adapter_scheme)
+      stemcell_foreign_keys = foreign_key_list(:compiled_packages).select { |constraint| constraint.fetch(:columns).include?(:stemcell_id) }
+      raise 'Failed to run migration, found more than 1 stemcell foreign key' if stemcell_foreign_keys.size != 1
+      stemcell_foreign_key_name = stemcell_foreign_keys.first.fetch(:name)
+
+      build_indexes = indexes(:compiled_packages).select { |_, value| value.fetch(:columns) == [:package_id, :stemcell_id, :build] }
+      raise 'Failed to run migration, found more than 1 build index' if build_indexes.size != 1
+      # build_indexes is an array, where each element is an array with first element being the name of index
+      build_index = build_indexes.first.first
+
+      stemcell_indexes = indexes(:compiled_packages).select { |_, value| value.fetch(:columns) == [:package_id, :stemcell_id, :dependency_key_sha1]}
+      raise 'Failed to run migration, found more than 1 stemcell_id index' if stemcell_indexes.size != 1
+      # stemcell_indexes is an array, where each element is an array with first element being the name of index
+      stemcell_index = stemcell_indexes.first.first
+
+      if [:mysql2, :mysql].include?(adapter_scheme)
+        alter_table(:compiled_packages) do
+          drop_index(nil, name: build_index)
+        end
+      elsif [:postgres].include?(adapter_scheme)
+        alter_table(:compiled_packages) do
+          drop_constraint(build_index)
+        end
+      end
+
+      alter_table(:compiled_packages) do
+        drop_constraint(stemcell_foreign_key_name, :type => :foreign_key)
+        add_index [:package_id, :stemcell_os, :stemcell_version, :build], unique: true, name: 'package_stemcell_build_idx'
+        add_index [:package_id, :stemcell_os, :stemcell_version, :dependency_key_sha1], unique: true, name: 'package_stemcell_dependency_idx'
+        drop_index(nil, name: stemcell_index)
+      end
+    end
+
+    alter_table(:compiled_packages) do
+      drop_column :stemcell_id
+    end
+  end
+end

data/db/migrations/director/20160219175840_add_column_teams_to_deployments.rb

@@ -0,0 +1,8 @@
+Sequel.migration do
+  change do
+    alter_table(:deployments) do
+      drop_column(:scopes)
+      add_column :teams, String
+    end
+  end
+end

data/db/migrations/director/20160224222508_add_deployment_name_to_task.rb

@@ -0,0 +1,7 @@
+Sequel.migration do
+  change do
+    alter_table(:tasks) do
+      add_column :deployment_name, String, default: nil
+    end
+  end
+end

data/db/migrations/director/20160225182206_rename_post_start_completed.rb

@@ -0,0 +1,8 @@
+Sequel.migration do
+  change do
+    alter_table :instances do
+      rename_column :post_start_completed, :update_completed
+      set_column_default :update_completed, false
+    end
+  end
+end

data/lib/bosh/director.rb

@@ -59,15 +59,20 @@ require 'bosh/director/blob_util'
 require 'bosh/director/agent_client'
 require 'cloud'
 require 'bosh/director/compile_task'
+require 'bosh/director/key_generator'
+require 'bosh/director/package_dependencies_manager'
+
 require 'bosh/director/job_renderer'
 require 'bosh/director/cycle_helper'
 require 'bosh/director/encryption_helper'
+require 'bosh/director/password_helper'
 require 'bosh/director/vm_creator'
 require 'bosh/director/vm_recreator'
 require 'bosh/director/vm_deleter'
 require 'bosh/director/vm_metadata_updater'
 require 'bosh/director/instance_reuser'
 require 'bosh/director/deployment_plan'
+require 'bosh/director/compiled_release'
 require 'bosh/director/errand'
 require 'bosh/director/duration'
 require 'bosh/director/hash_string_vals'
@@ -75,6 +80,7 @@ require 'bosh/director/instance_deleter'
 require 'bosh/director/instance_updater'
 require 'bosh/director/instance_updater/preparer'
 require 'bosh/director/instance_updater/state_applier'
+require 'bosh/director/instance_updater/instance_state'
 require 'bosh/director/disk_manager'
 require 'bosh/director/stopper'
 require 'bosh/director/job_runner'
@@ -86,6 +92,7 @@ require 'bosh/director/nats_rpc'
 require 'bosh/director/network_reservation'
 require 'bosh/director/problem_scanner/scanner'
 require 'bosh/director/problem_resolver'
+require 'bosh/director/post_deployment_script_runner'
 require 'bosh/director/error_ignorer'
 require 'bosh/director/deployment_deleter'
 require 'bosh/director/permission_authorizer'
@@ -94,6 +101,7 @@ require 'bosh/director/sequel'
 require 'common/thread_pool'
 
 require 'bosh/director/manifest/manifest'
+require 'bosh/director/manifest/redactor'
 require 'bosh/director/manifest/changeset'
 require 'bosh/director/manifest/diff_lines'
 
@@ -168,6 +176,7 @@ require 'bosh/director/api/controllers/tasks_controller'
 require 'bosh/director/api/controllers/task_controller'
 require 'bosh/director/api/controllers/users_controller'
 require 'bosh/director/api/controllers/cloud_configs_controller'
+require 'bosh/director/api/controllers/runtime_configs_controller'
 require 'bosh/director/api/controllers/locks_controller'
 require 'bosh/director/api/controllers/restore_controller'
 require 'bosh/director/api/route_configuration'

data/lib/bosh/director/api.rb

@@ -23,11 +23,11 @@ require 'bosh/director/api/task_manager'
 require 'bosh/director/api/user/config_user_manager'
 require 'bosh/director/api/user/database_user_manager'
 require 'bosh/director/api/user/user_manager_provider'
-require 'bosh/director/api/vm_state_manager'
 require 'bosh/director/api/backup_manager'
 require 'bosh/director/api/resurrector_manager'
 require 'bosh/director/api/restore_manager'
 require 'bosh/director/api/cloud_config_manager'
+require 'bosh/director/api/runtime_config_manager'
 
 require 'bosh/director/api/instance_lookup'
 require 'bosh/director/api/deployment_lookup'

data/lib/bosh/director/api/api_helper.rb

@@ -76,6 +76,33 @@ module Bosh::Director
       rescue SystemCallError => e
         raise SystemError, e.message
       end
+
+      def prepare_yml_file(yml_stream, manifest_type, skip_validation = false)
+        random_file_name = "#{manifest_type}-#{SecureRandom.uuid}"
+        tmp_manifest_dir = Dir::tmpdir
+
+        manifest_file_path = File.join(tmp_manifest_dir, random_file_name)
+        unless check_available_disk_space(tmp_manifest_dir, yml_stream.size)
+          raise NotEnoughDiskSpace, 'Uploading manifest failed. ' +
+              "Insufficient space on BOSH director in #{tmp_manifest_dir}"
+        end
+
+        write_file(manifest_file_path, yml_stream)
+
+        validate_manifest_yml(File.read(manifest_file_path)) unless skip_validation
+
+        manifest_file_path
+      end
+
+      def validate_manifest_yml(yml_string)
+        raise BadManifest, 'Manifest should not be empty' unless yml_string.to_s != ''
+
+        begin
+          Psych.parse(yml_string)
+        rescue Psych::SyntaxError => e
+          raise BadManifest, "Incorrect YAML structure of the uploaded manifest: #{e.inspect}"
+        end
+      end
     end
   end
 end

data/lib/bosh/director/api/controllers/base_controller.rb

@@ -10,18 +10,14 @@ module Bosh::Director
           @config = config
           @logger = Config.logger
           @identity_provider = config.identity_provider
-          @deployment_manager = DeploymentManager.new
+          @permission_authorizer = PermissionAuthorizer.new(config.get_uuid_provider)
           @backup_manager = BackupManager.new
           @restore_manager = RestoreManager.new
-          @instance_manager = InstanceManager.new
           @resurrector_manager = ResurrectorManager.new
-          @problem_manager = ProblemManager.new(@deployment_manager)
-          @property_manager = PropertyManager.new(@deployment_manager)
           @release_manager = ReleaseManager.new
           @snapshot_manager = SnapshotManager.new
           @stemcell_manager = StemcellManager.new
           @task_manager = TaskManager.new
-          @vm_state_manager = VmStateManager.new
           @dns_manager = DnsManagerProvider.create
           @disk_manager = DiskManager.new(nil, @logger)
         end
@@ -31,6 +27,8 @@ module Bosh::Director
         mime_type :tgz,       'application/x-compressed'
         mime_type :multipart, 'multipart/form-data'
 
+        ROUTES_WITH_EXTENDED_TIMEOUT = ['/stemcells', '/releases', '/restore']
+
         attr_reader :identity_provider
 
         def self.consumes(*types)
@@ -45,6 +43,31 @@ module Bosh::Director
           end
         end
 
+        before do
+          auth_provided = %w(HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION).detect do |key|
+            request.env.has_key?(key)
+          end
+
+          if auth_provided
+            begin
+              extended_token_timeout = ROUTES_WITH_EXTENDED_TIMEOUT.include?(request.path) &&
+                request.media_type == mime_type(:multipart) &&
+                request.request_method == 'POST'
+
+              @user = identity_provider.get_user(request.env, extended_token_timeout: extended_token_timeout)
+            rescue AuthenticationError
+            end
+          end
+
+          if requires_authentication?
+            response['WWW-Authenticate'] = 'Basic realm="BOSH Director"'
+            if @user.nil?
+              message = "Not authorized: '#{request.path}'\n"
+              throw(:halt, [401, message])
+            end
+          end
+        end
+
         def requires_authentication?
           true
         end

data/lib/bosh/director/api/controllers/cloud_configs_controller.rb

@@ -4,16 +4,17 @@ module Bosh::Director
   module Api::Controllers
     class CloudConfigsController < BaseController
       post '/', :consumes => :yaml do
-        properties = request.body.string
-        Bosh::Director::Api::CloudConfigManager.new.update(properties)
+        manifest_text = request.body.read
+        validate_manifest_yml(manifest_text)
 
+        Bosh::Director::Api::CloudConfigManager.new.update(manifest_text)
         status(201)
       end
 
       get '/', scope: :read do
         if params['limit'].nil? || params['limit'].empty?
           status(400)
-          body("limit is required")
+          body('limit is required')
           return
         end
 

data/lib/bosh/director/api/controllers/deployments_controller.rb

@@ -2,17 +2,62 @@ require 'bosh/director/api/controllers/base_controller'
 
 module Bosh::Director
   module Api::Controllers
+    module DeploymentsSecurity
+      def route(verb, path, options = {}, &block)
+        options[:scope] ||= :authorization
+        options[:authorization] ||= :admin
+        super(verb, path, options, &block)
+      end
+
+      def authorization(perm)
+        return unless perm
+
+        condition do
+          subject = :director
+          permission = perm
+
+          if :diff == permission
+            begin
+              @deployment = Bosh::Director::Api::DeploymentLookup.new.by_name(params[:deployment])
+              subject = @deployment
+              permission = :admin
+            rescue DeploymentNotFound
+              permission = :create_deployment
+            end
+          else
+            if params.has_key?('deployment')
+              @deployment = Bosh::Director::Api::DeploymentLookup.new.by_name(params[:deployment])
+              subject = @deployment
+            end
+          end
+
+          @permission_authorizer.granted_or_raise(subject, permission, token_scopes)
+        end
+      end
+    end
+
     class DeploymentsController < BaseController
+      register DeploymentsSecurity
+
+      def initialize(config)
+        super(config)
+        @deployment_manager = Api::DeploymentManager.new
+        @problem_manager = Api::ProblemManager.new
+        @property_manager = Api::PropertyManager.new
+        @instance_manager = Api::InstanceManager.new
+        @deployments_repo = DeploymentPlan::DeploymentRepo.new
+      end
+
       get '/:deployment/jobs/:job/:index_or_id' do
-        instance = @instance_manager.find_by_name(params[:deployment], params[:job], params[:index_or_id])
+        instance = @instance_manager.find_by_name(deployment, params[:job], params[:index_or_id])
 
         response = {
-          deployment: params[:deployment],
+          deployment: deployment.name,
           job: instance.job,
           index: instance.index,
           id: instance.uuid,
           state: instance.state,
-          disks: instance.persistent_disks.map {|d| d.disk_cid}
+          disks: instance.persistent_disks.map { |d| d.disk_cid }
         }
 
         json_encode(response)
@@ -30,11 +75,15 @@ module Bosh::Director
         }
         options['skip_drain'] = params[:job] if params['skip_drain'] == 'true'
 
-        deployment = @deployment_manager.find_by_name(params[:deployment])
-        manifest = ((request.content_length.nil?  || request.content_length.to_i == 0) && (params['state'])) ? StringIO.new(deployment.manifest) : request.body
+        if (request.content_length.nil?  || request.content_length.to_i == 0) && (params['state'])
+          manifest_file_path = prepare_yml_file(StringIO.new(deployment.manifest), 'deployment', true)
+        else
+          manifest_file_path = prepare_yml_file(request.body, 'deployment')
+        end
 
         latest_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
-        task = @deployment_manager.create_deployment(current_user, manifest, latest_cloud_config, options)
+        latest_runtime_config = Bosh::Director::Api::RuntimeConfigManager.new.latest
+        task = @deployment_manager.create_deployment(current_user, manifest_file_path, latest_cloud_config, latest_runtime_config, deployment.name, options)
         redirect "/tasks/#{task.id}"
       end
 
@@ -42,7 +91,7 @@ module Bosh::Director
       put '/:deployment/jobs/:job/:index_or_id', :consumes => :yaml do
         validate_instance_index_or_id(params[:index_or_id])
 
-        instance = @instance_manager.find_by_name(params[:deployment], params[:job], params[:index_or_id])
+        instance = @instance_manager.find_by_name(deployment, params[:job], params[:index_or_id])
         index = instance.index
 
         options = {
@@ -56,16 +105,20 @@ module Bosh::Director
         }
         options['skip_drain'] = params[:job] if params['skip_drain'] == 'true'
 
-        deployment = @deployment_manager.find_by_name(params[:deployment])
-        manifest = (request.content_length.nil?  || request.content_length.to_i == 0) ? StringIO.new(deployment.manifest) : request.body
+        if (request.content_length.nil?  || request.content_length.to_i == 0)
+          manifest_file_path = prepare_yml_file(StringIO.new(deployment.manifest), 'deployment', true)
+        else
+          manifest_file_path = prepare_yml_file(request.body, 'deployment')
+        end
+
         latest_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
-        task = @deployment_manager.create_deployment(current_user, manifest, latest_cloud_config, options)
+        latest_runtime_config = Bosh::Director::Api::RuntimeConfigManager.new.latest
+        task = @deployment_manager.create_deployment(current_user, manifest_file_path, latest_cloud_config, latest_runtime_config, deployment.name, options)
         redirect "/tasks/#{task.id}"
       end
 
       # GET /deployments/foo/jobs/dea/2/logs
       get '/:deployment/jobs/:job/:index_or_id/logs' do
-        deployment = params[:deployment]
         job = params[:job]
         index_or_id = params[:index_or_id]
 
@@ -79,17 +132,14 @@ module Bosh::Director
       end
 
       get '/:deployment/snapshots' do
-        deployment = @deployment_manager.find_by_name(params[:deployment])
         json_encode(@snapshot_manager.snapshots(deployment))
       end
 
       get '/:deployment/jobs/:job/:index/snapshots' do
-        deployment = @deployment_manager.find_by_name(params[:deployment])
         json_encode(@snapshot_manager.snapshots(deployment, params[:job], params[:index]))
       end
 
       post '/:deployment/snapshots' do
-        deployment = @deployment_manager.find_by_name(params[:deployment])
         # until we can tell the agent to flush and wait, all snapshots are considered dirty
         options = {clean: false}
 
@@ -98,16 +148,16 @@ module Bosh::Director
       end
 
       put '/:deployment/jobs/:job/:index_or_id/resurrection', consumes: :json do
-        payload = json_decode(request.body)
 
-        @resurrector_manager.set_pause_for_instance(params[:deployment], params[:job], params[:index_or_id], payload['resurrection_paused'])
+        payload = json_decode(request.body)
+        @resurrector_manager.set_pause_for_instance(deployment, params[:job], params[:index_or_id], payload['resurrection_paused'])
       end
 
       post '/:deployment/jobs/:job/:index_or_id/snapshots' do
         if params[:index_or_id].to_s =~ /^\d+$/
-          instance = @instance_manager.find_by_name(params[:deployment], params[:job], params[:index_or_id])
+          instance = @instance_manager.find_by_name(deployment, params[:job], params[:index_or_id])
         else
-          instance = @instance_manager.filter_by(uuid: params[:index_or_id]).first
+          instance = @instance_manager.filter_by(deployment, uuid: params[:index_or_id]).first
         end
         # until we can tell the agent to flush and wait, all snapshots are considered dirty
         options = {clean: false}
@@ -117,23 +167,22 @@ module Bosh::Director
       end
 
       delete '/:deployment/snapshots' do
-        deployment = @deployment_manager.find_by_name(params[:deployment])
-
         task = @snapshot_manager.delete_deployment_snapshots_task(current_user, deployment)
         redirect "/tasks/#{task.id}"
       end
 
       delete '/:deployment/snapshots/:cid' do
-        deployment = @deployment_manager.find_by_name(params[:deployment])
         @snapshot_manager.find_by_cid(deployment, params[:cid])
 
         task = @snapshot_manager.delete_snapshots_task(current_user, [params[:cid]])
         redirect "/tasks/#{task.id}"
       end
 
-      get '/', scope: :read do
+      get '/', authorization: :list_deployments do
         latest_cloud_config = Api::CloudConfigManager.new.latest
-        deployments = @deployment_manager.find_available(token_scopes).map do |deployment|
+        deployments = @deployment_manager.all_by_name_asc
+          .select { |deployment| @permission_authorizer.is_granted?(deployment, :read, token_scopes) }
+          .map do |deployment|
           cloud_config = if deployment.cloud_config.nil?
                          'none'
                        elsif deployment.cloud_config == latest_cloud_config
@@ -163,26 +212,33 @@ module Bosh::Director
         json_encode(deployments)
       end
 
-      get '/:name', scope: :read do
-        deployment = @deployment_manager.find_by_name(params[:name])
-        @deployment_manager.deployment_to_json(deployment)
+      get '/:deployment', authorization: :read do
+        Yajl::Encoder.encode({'manifest' => deployment.manifest})
       end
 
-      get '/:name/vms', scope: :read do
-        deployment = @deployment_manager.find_by_name(params[:name])
-
+      get '/:deployment/vms', authorization: :read do
         format = params[:format]
         if format == 'full'
-          task = @vm_state_manager.fetch_vm_state(current_user, deployment, format)
+          task = @instance_manager.fetch_instances_with_vm(current_user, deployment, format)
           redirect "/tasks/#{task.id}"
         else
-          @deployment_manager.deployment_instances_to_json(deployment)
+          instances = @deployment_manager.deployment_instances_with_vms(deployment)
+          Yajl::Encoder.encode(create_instances_response(instances))
         end
       end
 
-      delete '/:name' do
-        deployment = @deployment_manager.find_by_name(params[:name])
+      get '/:deployment/instances', authorization: :read do
+        format = params[:format]
+        if format == 'full'
+          task = @instance_manager.fetch_instances(current_user, deployment, format)
+          redirect "/tasks/#{task.id}"
+        else
+          instances = @instance_manager.find_instances_by_deployment(deployment)
+          Yajl::Encoder.encode(create_instances_response(instances))
+        end
+      end
 
+      delete '/:deployment' do
         options = {}
         options['force'] = true if params['force'] == 'true'
         options['keep_snapshots'] = true if params['keep_snapshots'] == 'true'
@@ -190,39 +246,39 @@ module Bosh::Director
         redirect "/tasks/#{task.id}"
       end
 
+      post '/:deployment/ssh', :consumes => [:json] do
+        payload = json_decode(request.body)
+        task = @instance_manager.ssh(current_user, deployment, payload)
+        redirect "/tasks/#{task.id}"
+      end
+
       # Property management
       get '/:deployment/properties' do
-        properties = @property_manager.get_properties(params[:deployment]).map do |property|
-          { 'name' => property.name, 'value' => property.value }
+        properties = @property_manager.get_properties(deployment).map do |property|
+          {'name' => property.name, 'value' => property.value}
         end
         json_encode(properties)
       end
 
       get '/:deployment/properties/:property' do
-        property = @property_manager.get_property(params[:deployment], params[:property])
+        property = @property_manager.get_property(deployment, params[:property])
         json_encode('value' => property.value)
       end
 
       post '/:deployment/properties', :consumes => [:json] do
         payload = json_decode(request.body)
-        @property_manager.create_property(params[:deployment], payload['name'], payload['value']  )
+        @property_manager.create_property(deployment, payload['name'], payload['value'])
         status(204)
       end
 
-      post '/:deployment/ssh', :consumes => [:json] do
-        payload = json_decode(request.body)
-        task = @instance_manager.ssh(current_user, payload)
-        redirect "/tasks/#{task.id}"
-      end
-
       put '/:deployment/properties/:property', :consumes => [:json] do
         payload = json_decode(request.body)
-        @property_manager.update_property(params[:deployment], params[:property], payload['value'])
+        @property_manager.update_property(deployment, params[:property], payload['value'])
         status(204)
       end
 
       delete '/:deployment/properties/:property' do
-        @property_manager.delete_property(params[:deployment], params[:property])
+        @property_manager.delete_property(deployment, params[:property])
         status(204)
       end
 
@@ -230,12 +286,12 @@ module Bosh::Director
 
       # Initiate deployment scan
       post '/:deployment/scans' do
-        start_task { @problem_manager.perform_scan(current_user, params[:deployment]) }
+        start_task { @problem_manager.perform_scan(current_user, deployment) }
       end
 
       # Get the list of problems for a particular deployment
       get '/:deployment/problems' do
-        problems = @problem_manager.get_problems(params[:deployment]).map do |problem|
+        problems = @problem_manager.get_problems(deployment).map do |problem|
           {
             'id' => problem.id,
             'type' => problem.type,
@@ -250,84 +306,104 @@ module Bosh::Director
 
       put '/:deployment/problems', :consumes => [:json] do
         payload = json_decode(request.body)
-        start_task { @problem_manager.apply_resolutions(current_user, params[:deployment], payload['resolutions']) }
+        start_task { @problem_manager.apply_resolutions(current_user, deployment, payload['resolutions']) }
       end
 
       put '/:deployment/scan_and_fix', :consumes => :json do
         jobs_json = json_decode(request.body)['jobs']
         payload = convert_job_instance_hash(jobs_json)
-
-        deployment = @deployment_manager.find_by_name(params[:deployment])
         if deployment_has_instance_to_resurrect?(deployment)
-          start_task { @problem_manager.scan_and_fix(current_user, params[:deployment], payload) }
+          start_task { @problem_manager.scan_and_fix(current_user, deployment, payload) }
         end
       end
 
-      post '/', :consumes => :yaml do
+      post '/', authorization: :create_deployment, :consumes => :yaml do
+        manifest_file_path = prepare_yml_file(request.body, 'deployment')
+
         options = {}
         options['recreate'] = true if params['recreate'] == 'true'
         options['skip_drain'] = params['skip_drain'] if params['skip_drain']
+        options.merge!('scopes' => token_scopes)
+
         if params['context']
           @logger.debug("Deploying with context #{params['context']}")
           context = JSON.parse(params['context'])
           cloud_config = Api::CloudConfigManager.new.find_by_id(context['cloud_config_id'])
+          runtime_config = Api::RuntimeConfigManager.new.find_by_id(context['runtime_config_id'])
         else
           cloud_config = Api::CloudConfigManager.new.latest
+          runtime_config = Api::RuntimeConfigManager.new.latest
         end
 
-        options.merge!('scopes' => token_scopes)
-        task = @deployment_manager.create_deployment(current_user, request.body, cloud_config, options)
+        deployment = Psych.load(File.read(manifest_file_path), manifest_file_path)
+
+        if deployment
+          deployment_name = deployment['name']
+          if deployment_name
+            @deployments_repo.find_or_create_by_name(deployment_name, options)
+          end
+        end
+
+        task = @deployment_manager.create_deployment(current_user, manifest_file_path, cloud_config, runtime_config, deployment_name, options)
+
         redirect "/tasks/#{task.id}"
       end
 
-      post '/:deployment/diff', :consumes => :yaml do
-        deployment = Models::Deployment[name: params[:deployment]]
+      post '/:deployment/diff', authorization: :diff, :consumes => :yaml do
+        manifest_text = request.body.read
+        validate_manifest_yml(manifest_text)
+
         if deployment
-          before_manifest = Manifest.load_from_text(deployment.manifest, deployment.cloud_config)
+          before_manifest = Manifest.load_from_text(deployment.manifest, deployment.cloud_config, deployment.runtime_config)
           before_manifest.resolve_aliases
         else
-          before_manifest = Manifest.load_from_text(nil, nil)
+          before_manifest = Manifest.load_from_text(nil, nil, nil)
         end
 
         after_cloud_config = Bosh::Director::Api::CloudConfigManager.new.latest
+        after_runtime_config = Bosh::Director::Api::RuntimeConfigManager.new.latest
         after_manifest = Manifest.load_from_text(
-          request.body,
-          after_cloud_config
+          manifest_text,
+          after_cloud_config,
+          after_runtime_config
         )
         after_manifest.resolve_aliases
 
-        diff = before_manifest.diff(after_manifest)
+        redact =  params['redact'] != 'false'
+
+        diff = before_manifest.diff(after_manifest, redact)
 
         json_encode({
-          'context' => {
-            'cloud_config_id' => after_cloud_config ? after_cloud_config.id : nil,
-          },
-          'diff' => diff.map { |l| [l.to_s, l.status] }
-        })
+            'context' => {
+              'cloud_config_id' => after_cloud_config ? after_cloud_config.id : nil,
+              'runtime_config_id' => after_runtime_config ? after_runtime_config.id : nil
+            },
+            'diff' => diff.map { |l| [l.to_s, l.status] }
+          })
       end
 
-      post '/:deployment_name/errands/:errand_name/runs' do
-        deployment_name = params[:deployment_name]
+      post '/:deployment/errands/:errand_name/runs' do
         errand_name = params[:errand_name]
         keep_alive = json_decode(request.body)['keep-alive'] || FALSE
 
         task = JobQueue.new.enqueue(
           current_user,
           Jobs::RunErrand,
-          "run errand #{errand_name} from deployment #{deployment_name}",
-          [deployment_name, errand_name, keep_alive],
+          "run errand #{errand_name} from deployment #{deployment.name}",
+          [deployment.name, errand_name, keep_alive],
+          deployment.name
         )
 
         redirect "/tasks/#{task.id}"
       end
 
-      get '/:deployment_name/errands', scope: :read do
+      get '/:deployment/errands', authorization: :read do
         deployment_plan = load_deployment_plan
 
-        errands = deployment_plan.jobs.select(&:can_run_as_errand?)
+        errands = deployment_plan.jobs.select(&:is_errand?)
 
         errand_data = errands.map do |errand|
-          { "name" => errand.name }
+          {"name" => errand.name}
         end
 
         json_encode(errand_data)
@@ -335,11 +411,11 @@ module Bosh::Director
 
       private
 
-      def load_deployment_plan
-        deployment_model = @deployment_manager.find_by_name(params[:deployment_name])
+      attr_accessor :deployment
 
+      def load_deployment_plan
         planner_factory = Bosh::Director::DeploymentPlan::PlannerFactory.create(Config.logger)
-        planner_factory.create_from_model(deployment_model)
+        planner_factory.create_from_model(deployment)
       end
 
       def convert_job_instance_hash(hash)
@@ -351,11 +427,7 @@ module Bosh::Director
 
       def deployment_has_instance_to_resurrect?(deployment)
         false if deployment.nil?
-        filter = {
-          deployment_id: deployment.id,
-          resurrection_paused: false
-        }
-        instances = @instance_manager.filter_by(filter)
+        instances = @instance_manager.filter_by(deployment, resurrection_paused: false)
         instances.any?
       end
 
@@ -368,6 +440,18 @@ module Bosh::Director
           end
         end
       end
+
+      def create_instances_response(instances)
+        instances.map do |instance|
+          {
+              'agent_id' => instance.agent_id,
+              'cid' => instance.vm_cid,
+              'job' => instance.job,
+              'index' => instance.index,
+              'id' => instance.uuid
+          }
+        end
+      end
     end
   end
 end