[Freeipa-devel] [DESIGN] Server Roles

Jan Cholasta jcholast at redhat.com
Mon Mar 21 08:28:15 UTC 2016 

On 17.3.2016 18:16, Martin Babinsky wrote:
> Hi list,
>
> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
> design document concerning the concept of Server Roles as a
> user-friendly abstraction of the services running on IPA masters.
>
> The main aim of this feature is to provide a higher level interface to
> query and manipulate service-related information stored in dirsrv backend.
>
> I have not touched the design much from the post-Devconf session, mainly
> because there are some points to clarify and agree upon.
>
> I have the following points to discuss:
>
> 1.) the design assumes that there is a distinction between roles such as
> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
> master, CRL master, etc. Now in the hindsight I think this distinction
> is quite artificial and just clutters the interface unnecessarily. We
> might implement this kind of hierarchy in the code itself but that is
> something the user needs not be aware of.

These shouldn't be (sub-)roles at all - they are inherently a 
one-to-many relationship between the logical services and servers, 
whereas roles are many-to-many relationship between the logical services 
and servers. I would rather see them exposed in the global service 
config, such as:

$ ipa dnsconfig-mod --sec-master=ipa12.example.com
   DNSSEC master: ipa12.example.com

>
> 2.) I guess the role names should be case insensitive so that users are
> not hindered by trying to get the case right.

+1

>
> 3.) Do we need an internal API call which will add all services
> belonging to a role to the corresponding master entry? (basically a
> 'server_add_role' type of command). Currently, each service instance
> adds its own service entry during service installation so we probably do
> not need to duplicate this functionality.

+1, we don't need more duplicate code.

>
> That is all I can think of right now. I had many more questions popping
> up during this night's bout of insomnia, but they got lost during the day.

How are we going to expose the different states of server roles? They 
can be:

a) available/unavailable (the package providing the role was/was not 
installed on the server)
b) configured/unconfigured (the installer for the role was/was not 
successfully run on the server, LDAP service entries exist)
c) enabled/disabled

My preference would be to make server-role commands work on top of 
available services, like this:

# ipa server-role-show $HOSTNAME DNS
ipa: ERROR: DNS: server role not found

# dnf install freeipa-server-dns
...

# ipa server-role-show $HOSTNAME DNS
   Name: DNS
   Configured: False
   Enabled: False

# ipa-dns-install
...

# ipa server-role-show $HOSTNAME DNS
   Name: DNS
   Configured: True
   Enabled: True

>
> Do not be afraid to bring up other questions/remarks/comments. This is
> my first design documents so I expect them to be plenty.

The CLI commands are a little bit self-inconsistent, see any other 
plugin for how the general layout of arguments should look like.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list