[Freeipa-devel] [DESIGN] Server Roles

Martin Babinsky mbabinsk at redhat.com
Fri Mar 18 09:47:01 UTC 2016 

On 03/18/2016 10:21 AM, Martin Kosek wrote:
> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>> Hi list,
>>
>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design
>> document concerning the concept of Server Roles as a user-friendly abstraction
>> of the services running on IPA masters.
>>
>> The main aim of this feature is to provide a higher level interface to query
>> and manipulate service-related information stored in dirsrv backend.
>>
>> I have not touched the design much from the post-Devconf session, mainly
>> because there are some points to clarify and agree upon.
>
> Initial thoughts:
>
> * Use Cases: these are rather vague points what you want to implement. In Use
> Case section, I would like to see what specific *user* use cases you are
> addressing, i.e. what user problems you are solving. Ideally in a form of a
> user story. Like here:
>
> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases
> or here:
> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases
> or here:
> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases
>
Ok I will thing of some clearer points.

>> I have the following points to discuss:
>>
>> 1.) the design assumes that there is a distinction between roles such as DNS
>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL
>> master, etc. Now in the hindsight I think this distinction is quite artificial
>> and just clutters the interface unnecessarily. We might implement this kind of
>> hierarchy in the code itself but that is something the user needs not be aware of.
>
> Well, there are dependencies. A server cannot be a CRL master without also
> being a CA role. I assume same applies to DNSSEC master.
>
> I think we need to think more about distinguishing what is role, what is just
> an attribute of a role, etc. AD for example distinguishes roles, role service
> and features:
>
> https://technet.microsoft.com/en-us/library/cc754923.aspx
>
We will have to implement the role/subrole/unicorn hierarchy anyhow. 
What I would like to discuss is whether it is necessary to expose this 
hierarchy to the users. Consider a case when user wants to find which 
server is a CA renewal master:

ipa server-role-find "CA renewal master"

vs.

ipa server-role-find --subrole "Renewal master"

Behind the scenes, the code has to do the same thing (e.g. issue a 
search using 
(&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), 
but the UX is a bit different.

> Martin
>


-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list