[Freeipa-devel] "Commit comments log" functionality in IPA

[John Dennis]

Dmitri Pal wrote:
> The argument for storing in DS is:
> a) There is no other place to store it.

Nonsense, there are many other good places, but see my comment below.
> f) The company policies might require that the changes to the critical 
> object be commented . Without this feature and DS plugin this can't be 
> enforced. If it is done in UI or CLI the admin might circumvent it by 
> using ldap calls directly. So DS is the only common denominator.
> I strongly believe that based on the last reason it should be done in 
> DS plugin and only there. It can be done in different ways though.
I wrote an email earlier about how we have conceptual impedance 
illustrated with Aseoph's Fable about the 5 Blind Men and the Elephant. 
I elected not to send it. But I want to point out something out which 
has been worrying me, we might be locking ourselves into a series of bad 
design decisions.

The problem goes like this: We've put DS at the center of the IPA 
universe. We've built an entire management system on top of it which we 
then say is completely optional to use, it's just sugar, feel free reach 
inside and use ldapmodify and do whatever you want behind our backs. 
Because we've deliberately picked one data store and provided a wide 
open back door to it we constantly find ourselves in the situation of 
having to enforce our business logic inside that data store. Perhaps I'm 
the only one, but that strikes me as crazy and it won't scale. IPA is 
going to keep growing features, for goodness sake not everything can nor 
should be implemented in the directory server. I think we would be 
better off to say our XMLRPC server is what implements IPA 
functionality, we provide multiple ways to interact with it, it 
implements all our business logic, it is a heavy user of LDAP but NOT AN 
EXCLUSIVE user of LDAP. You're free to use the ldapmodify backdoor if 
you want but that comes with all the caveats about backdoor out-of-band 
updates. To be a good IPA citizen use the IPA interfaces.
> We can do this but if we agree that DS plugin is anyway inevitable ...
No! Endless DS plugins are not inevitable. They are only inevitable if 
you buy into a flawed model which says everything in IPA needs to be 
implemented in DS.

LDAP makes a lot of sense for what IPA does with the "I" of IPA, but 
let's have the freedom to use other tools and technologies for the 
remainder. If you do buy into the fact we need more flexibility then 
there has to be a "central agent" which interacts with all the 
components and enforces business logic (I am not convinced that central 
agent can or should be a LDAP server).

With this in mind capturing comments becomes trivial. Use the IPA 
interface to make the change, it optionally captures the comment. IPA 
then updates DS and every other relevant component AND enforces the 
integrity of our business logic. IPA generates an ID for the entire set 
of operations it performed (e.g. a transaction), IPA then writes the 
comment tagged with the ID wherever it wants to. When we need to present 
the comment to a user the GUI, command line tool, or whatever calls the 
defined IPA interface (e.g. XMLRPC). Which retrieves the comment from 
wherever the heck it wants to (in v2 it might be a file, in v3 it might 
be a database).

You only need to store everything in DS and enforce all business logic 
in DS if you believe ldapmodify is the one true IPA interface (which 
IMHO is driving us to make bad design decisions).

BTW, if someone uses ldapmodify IPA can still identify when and how the 
change occurred because it will be in an audit log of DS modifications.

-- 
John Dennis <jdennis at redhat.com>