[Freeipa-devel] XML-RPC API: update_*
John Dennis
jdennis at redhat.com
Tue Dec 11 21:02:33 UTC 2007
Rob Crittenden wrote:
> John Dennis wrote:
>> Don't all the problems and issues go away if the API for modification
>> took add, modify and delete parameters? That seems easier, cleaner,
>> and more efficient. I'm pretty sure most callers will easily know
>> whether they've added, modified, or deleted an attribute. If for some
>> reason they don't have that knowledge we could provide a helper
>> utility to compute it, but I doubt that would be needed in most cases.
>>
>
> The reasoning is that it saves a lot of round-trips. Each XML-RPC
> request requires:
>
> 1. An SSL connection
> 2. A kerberos authentication
> 3. One or more LDAP connections
> 3.1 A kerberos auth
> 3.2 The LDAP operation
I wasn't suggesting separate calls for add, modify and delete. Rather
one call that takes add, modify and delete parameters. That means it's
the same round-trip overhead, but without the baggage of having to
manage before and after attribute dictionaries.
Question: Are we exposing the generateModList API in the python ldap
module because we concluded it is the optimal and most sensible API for
us or because it happened to be there and now we're trying to force
everything to operate that way and in the process introducing
inefficiency, complexity and special case scenarios?
If one wants to use the generateModList API in the python ldap module
(not a requirement) then I'm not sure what is being gained by not
passing the before dictionary other than a marginal reduction in the
size of the transport during update and a marginal reduction in client
memory usage to store both dictionaries, one still pays all the
round-trip costs you enumerate above. The client still has to start with
a call to query the current dictionary. If you don't have the current
dictionary I don't see how you would robustly implement the semantics of
delete. The reasoning goes like this, if the client fails to set any
attributes in the new dictionary, a likely scenario if he never queried
the current dictionary and thus does not know what the current
attributes are, then on the server the missing attribute in the new
dictionary will be interpreted as a delete operation on that attribute.
Ouch, that's not what was expected. Thus to be robust one has to have
both dictionaries, so what's the advantage? Explicitly passing what is
being added, modified, and deleted gets you out of the whole mess. Note,
add and modify could be collapsed into one parameter for greater
simplicity. But delete must be handled separately. Note delete is
fundamentally different from add/modify because add/modify pairs the
attribute with a value, but delete specifies only the attribute.
Maybe we should pop up a level and ask if generateModList is the optimal
API. I'm not convinced it is, it adds a lot of baggage and complexity
we're now trying to find ways to eliminate.
Also note at least one round trip can be completely eliminated if we
don't use generateModList, that alone is a significant performance win.
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list