[Freeipa-devel] "Commit comments log" functionality in IPA
Dmitri Pal
dpal at redhat.com
Thu Nov 6 22:53:20 UTC 2008
Summary:
1) We all agree that:
a) Providing commit comments is valuable feature for users of the IPA
b) We can't force (and should not) the user to put some meaningful
data in such comments. This is the responsibility of the corporate
policy - not software.
c) It should be flexible so that only in the cases when the
corporate policy requires that kind of comment it would be enforced.
Otherwise it should be optional or even hidden to avoid annoying
administrator of the system.
2) We disagree mainly on the mean where this data should be stored. Main
point is does it belong to DS or not.
a) The argument to not put it in DS is that this data does not belong
there. It is perceived as a log and thus should be stored in the audit
system.
b) Other arguments include the fact that we should avoid developing
unnecessary DS plugins until there is absolute need because the bugs in
plugins can bring the whole server down.
c) This data is not critical for functioning of the server so should not
be in DS etc.
The argument for storing in DS is:
a) There is no other place to store it. Audit system will not be robust
enough soon enough to fit the bill (especially real time lookups)
b) Many other features require plugins so what a big deal about one more
c) The amount of work (may be erroneously is perceived as smaller than
using other alternatives). I will not explore that more. One can read
the thread.
d) There are already similar things in the DS that do things in pretty
much the same way
e) The DS experts do not see a big issue with the approach and see a
value down the road
f) The company policies might require that the changes to the critical
object be commented . Without this feature and DS plugin this can't be
enforced. If it is done in UI or CLI the admin might circumvent it by
using ldap calls directly. So DS is the only common denominator.
I strongly believe that based on the last reason it should be done in DS
plugin and only there. It can be done in different ways though.
For example one could suggest that the DS plugin can just require the
comment to be inserted on each add/modify of an object and save it to a
log file that then can be processed by the audit system.
We can do this but if we agree that DS plugin is anyway inevitable then
I would rather do a plugin that I originally proposed since it would
have more value for DS in future. If it deems to be more complex than
expected we can always fall back to the logging to file from the plugin.
Seems like a compromise to me :-)
Thanks
Dmitri
More information about the Freeipa-devel
mailing list