[Freeipa-devel] "Commit comments log" functionality in IPA

Dmitri Pal dpal at redhat.com
Thu Nov 6 22:53:20 UTC 2008 

Summary:
1) We all agree that:
    a) Providing commit comments is valuable feature for users of the IPA
    b) We can't force (and should not) the user to put some meaningful 
data in such comments. This is the responsibility of the corporate 
policy - not software.
    c) It should be flexible so that only in the cases when the 
corporate policy requires that kind of comment it would be enforced. 
Otherwise it should be optional or even hidden to avoid annoying 
administrator of the system.
   

2) We disagree mainly on the mean where this data should be stored. Main 
point is does it belong to DS or not.

a) The argument to not put it in DS is that this data does not belong 
there. It is perceived as a log and thus should be stored in the audit 
system.
b) Other arguments include the fact that we should avoid developing 
unnecessary DS plugins until there is absolute need because the bugs in 
plugins can bring the whole server down.
c) This data is not critical for functioning of the server so should not 
be in DS etc.

The argument for storing in DS is:
a) There is no other place to store it. Audit system will not be robust 
enough soon enough to fit the bill (especially real time lookups)
b) Many other features require plugins so what a big deal about one more
c) The amount of work (may be erroneously is perceived as smaller than 
using other alternatives). I will not explore that more. One can read 
the thread. 
d) There are already similar things in the DS that do things in pretty 
much the same way
e) The DS experts do not see a big issue with the approach and see a 
value down the road
f) The company policies might require that the changes to the critical 
object be commented . Without this feature and DS plugin this can't be 
enforced. If it is done in UI or CLI the admin might circumvent it by 
using ldap calls directly. So DS is the only common denominator.
I strongly believe that based on the last reason it should be done in DS 
plugin and only there. It can be done in different ways though.
For example one could suggest that the DS plugin can just require the 
comment to be inserted on each add/modify of an object and save it to a 
log file that then can be processed by the audit system.
We can do this but if we agree that DS plugin is anyway inevitable then 
I would rather do a plugin that I originally proposed since it would 
have more value for DS in future. If it deems to be more complex than 
expected we can always fall back to the logging to file from the plugin.  

Seems like a compromise to me :-)

Thanks
Dmitri

More information about the Freeipa-devel mailing list