4.7 KiB
4.7 KiB
[DEF:ADR-0003:ADR]
@STATUS ACTIVE
@PURPOSE Definitively establish ss-tools as a standalone orchestrator service operating above Apache Superset environments rather than integrating into them. This is a repo‑shaping architectural decision that governs deployment topology, security boundary, release cycle independence, and technology stack freedom.
@RELATION DEPENDS_ON -> [ADR-0001:ADR]
@RELATION CALLS -> [ADR-0004:ADR]
@RELATION CALLS -> [ADR-0005:ADR]
@RATIONALE The core value proposition of ss-tools is multi‑environment orchestration: moving dashboards, datasets, and configurations between independent Superset instances (Dev → Stage → Prod). Embedding this logic inside any single Superset instance would immediately create a "master controller" dependency — if that instance fails, all environment management is lost. An external orchestrator treats all Superset instances as equal endpoints.
@RATIONALE Technology stack mismatch is irreversible: Superset uses Flask + React, ss-tools uses FastAPI + SvelteKit. Integration would require rewriting the entire Svelte frontend into React components and refactoring FastAPI dependency injection into Flask-AppBuilder patterns — a multi‑month effort with zero business value and high regression risk.
@RATIONALE Release cycle independence is non‑negotiable: Superset has a slow, complex release cadence. ss-tools must ship LLM plugins, Git integrations, and backup features on its own schedule without waiting for upstream Superset releases or maintaining a fork with perpetual merge conflicts.
@RATIONALE Security isolation: ss-tools manages DevOps privileges (deployment, backup, migration) while Superset manages BI privileges (data viewing, chart creation). Mixing these in one system expands the blast radius of any security incident.
@REJECTED Integration as a Superset plugin/extension — rejected for the four reasons above (orchestrator topology break, 100% frontend rewrite, Superset release cycle coupling, privilege boundary collapse).
@REJECTED Superset fork with ss-tools baked in — rejected because maintaining a fork requires rebase on every Superset release, creating perpetual merge conflicts and making security patch adoption dangerously slow.
@REJECTED Shared database with Superset — rejected because it couples ss-tools migrations to Superset's Alembic migration chain, preventing independent schema evolution and creating a single point of failure for both systems.
Decision
ss-tools operates as a standalone orchestrator microservice with these defined boundaries:
Deployment Topology
┌─────────────┐
│ ss-tools │ ← FastAPI + SvelteKit
│ PostgreSQL │ ← Own database
└──────┬──────┘
│ REST API calls
┌───────────────┼───────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│Superset │ │Superset │ │Superset │
│ (Dev) │ │ (Stage) │ │ (Prod) │
└──────────┘ └──────────┘ └──────────┘
Key Architectural Properties
| Property | Decision |
|---|---|
| Topology | External orchestrator above all Superset instances |
| Communication | Superset REST API (bearer token auth per environment) |
| Database | Dedicated PostgreSQL 16 instance (not Superset metadata DB) |
| Frontend | SvelteKit SPA (not integrated into Superset UI) |
| Release cadence | Independent Docker image releases |
| Auth | Own RBAC system with optional ADFS SSO (see ADR-0005) |
| Plugins | Own plugin lifecycle (see ADR-0004) |
Consequences
- Positive: Fast independent development, modern stack, no Superset coupling, clear security boundary.
- Negative: Users have two separate UIs (Superset for BI, ss-tools for DevOps). Mitigated by consistent UX design and cross‑linking.
- Risk: API compatibility if Superset changes its REST API. Mitigated by versioned API client with automated compatibility tests.
Migration from Existing Document
This ADR supersedes and formalizes docs/architecture_decision_superset_migration.md. The original document contained the same recommendation and rationale but lacked the [DEF:id:ADR] contract structure, making it invisible to the semantic index and decision‑memory audit chain.