[Freeipa-devel] New replica installation and topology - we need stable base
Simo Sorce
ssorce at redhat.com
Wed May 27 15:10:10 UTC 2015
On Wed, 2015-05-27 at 16:59 +0200, Martin Kosek wrote:
> Hello all,
>
> As FreeIPA 4.2 deadlines are approaching us slowly, there is a concern that not
> all of the new replica install way (replication-package-less) based on Custodia
> would be done and finished in time.
>
> There will be certainly a lot of integration hurdles, in making sure that the
> installed replica can ask for all needed secrets and that the server can
> provide them and ensure proper encryption.
The encryption part is not a concern, but proper integration of all
these interconnected and inter-dependent components is.
> My question is - if we postpone new replica promotion way&Custodia, what is
> needed to make FreeIPA 4.2 replica installation and topology management
> GA-ready and finished?
>
> This is the status of related functions, as I see it:
>
> Domain Levels
> - Done, committed
> - Defaults to Level 1, i.e. Topology plugin powered infra enabled
This default is only for a *new* domain right ?
If you join a replica it should not automatically enable topology.
> Topology plugin
> - We have the base plugin and it's installation pushed
> - There is a critical bug that needs to be solved - #5035
> - API&UI is in works (Petr Vobornik). We already committed the new server-*
> commands used there. Overall, AFAIU the API should be mostly functionally complete
> - Plugin is enabled during installation, but we still use the simple auth with
> DM password during replica creation process. I think we planned to use GSSAPI,
> no? Is anything else needed in the replica creation process, except fixing #5035?
>
> Given this summary, if we forget about the Custodia parts for a moment, it
> seems to me that the new Topology is almost functionally complete and we only
> miss the management API. Is that correct or we miss some bigger piece?
>
> I am for example not sure if the "IPA masters" hostgroup is needed for Topology
> work without Custodia, I think Ludwig used some other group for authorization
> purposes in Topology.
The hostgroup is needed regardless of Custodia, IIRC.
Simo.
More information about the Freeipa-devel
mailing list