[Freeipa-devel] "Commit comments log" functionality in IPA

[Sumit Bose]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

here are my 0.02$

- - for the policies it would be possible to have the commit comments
inside the XML file, like
<commit><comment>...</comment><comment>...</comment></commit>.

- - although I have not made up my mind if I like the idea of storing the
commit comments in the DS or not, I would suggest to think about storing
the data not in a multi value attribute of the object, but in child
objects with an own objectclass. Then you can store who and when and
what into specific attributes where it would be easy to search or select
specific data.

bye,
Sumit

Dmitri Pal schrieb:
> Summary:
> 1) We all agree that:
>    a) Providing commit comments is valuable feature for users of the IPA
>    b) We can't force (and should not) the user to put some meaningful
> data in such comments. This is the responsibility of the corporate
> policy - not software.
>    c) It should be flexible so that only in the cases when the corporate
> policy requires that kind of comment it would be enforced. Otherwise it
> should be optional or even hidden to avoid annoying administrator of the
> system.
>  
> 2) We disagree mainly on the mean where this data should be stored. Main
> point is does it belong to DS or not.
> 
> a) The argument to not put it in DS is that this data does not belong
> there. It is perceived as a log and thus should be stored in the audit
> system.
> b) Other arguments include the fact that we should avoid developing
> unnecessary DS plugins until there is absolute need because the bugs in
> plugins can bring the whole server down.
> c) This data is not critical for functioning of the server so should not
> be in DS etc.
> 
> The argument for storing in DS is:
> a) There is no other place to store it. Audit system will not be robust
> enough soon enough to fit the bill (especially real time lookups)
> b) Many other features require plugins so what a big deal about one more
> c) The amount of work (may be erroneously is perceived as smaller than
> using other alternatives). I will not explore that more. One can read
> the thread. d) There are already similar things in the DS that do things
> in pretty much the same way
> e) The DS experts do not see a big issue with the approach and see a
> value down the road
> f) The company policies might require that the changes to the critical
> object be commented . Without this feature and DS plugin this can't be
> enforced. If it is done in UI or CLI the admin might circumvent it by
> using ldap calls directly. So DS is the only common denominator.
> I strongly believe that based on the last reason it should be done in DS
> plugin and only there. It can be done in different ways though.
> For example one could suggest that the DS plugin can just require the
> comment to be inserted on each add/modify of an object and save it to a
> log file that then can be processed by the audit system.
> We can do this but if we agree that DS plugin is anyway inevitable then
> I would rather do a plugin that I originally proposed since it would
> have more value for DS in future. If it deems to be more complex than
> expected we can always fall back to the logging to file from the plugin. 
> Seems like a compromise to me :-)
> 
> Thanks
> Dmitri
>  
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkUC+QACgkQUDGHpI6P4rr7ZgCeM1G6WSLN6wygcb8HjB42xHrW
w3QAnA7ZGGfh4xZgxrVvipO/wsly8SOM
=M5hq
-----END PGP SIGNATURE-----