[Freeipa-devel] Please review: V4/AD user short names design draft

Martin Babinsky mbabinsk at redhat.com
Wed Mar 1 15:17:13 UTC 2017 

On 03/01/2017 03:42 PM, Simo Sorce wrote:
> On Tue, 2017-02-28 at 13:29 +0100, Martin Babinsky wrote:
>> Hello list,
>>
>> I have put together a draft of design page describing server-side
>> implementation of user short name -> fully-qualified name resolution.[1]
>>
>> In the end I have taken the liberty to change a few aspects of the
>> design we have agreed on before and I will be grad if we can discuss
>> them further.
>>
>> Me and Honza have discussed the object that should hold the domain
>> resolution order and given the fact that IPA domain can also be a part
>> of this list, we have decided that this information is no longer bound
>> to trust configuration and should be a part of the global config instead.
>>
>> Also we have purposefully cut down the API only to a raw manipulation of
>> the attribute using an option of `ipa config-mod`. The reasons for this
>> are twofold:
>>
>>    * the developer resources are quite scarce and it may be good to
>> follow YAGNI[2] principle to implement the dumbest API now and not to
>> invest into more high-level interface unless there is a demand for it
>>
>>    * we can imagine that the manipulation of the domain resolution order
>> is a rare operation (ideally only once all trusts are established), so I
>> am not convinced that it is worth investing into designing higher-level API
>>
>> I propose we first develop the "dumber" parts first to unblock the SSSD
>> part. If we have spare cycle afterwards then we can design and implement
>> more bells-and-whistles afterwards.
>>
>> [1] https://www.freeipa.org/page/V4/AD_User_Short_Names
>> [2] https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it
>
> Thank you Martin,
> this is a good initial proposal.
>
> I have a few issues with this design:
> - It conflates the idea of ordering with the idea of shortening user
> names

I fail to see where the conflation takes place. The ordered list is 
stored on the server. The client then uses it to expand short names. I 
guess I am just missing something.

> - It allows only for one setting for all the machines, no way to treat
> different groups of machines differently
>

Yes it was discussed that the setting will be global. I would implement 
local overrides only when there is a demand for the feature given 
development time is short.

> The first one is probably just a matter of using a more specific name
> for the new attribute, or, perhaps not use a new attribute at all but
> just use ipaConfigString with an agreed syntax like:
> ipaConfigString: Domains Use Short Name List: aaa bbb ccc ddd
>
> The side effect of using ipaConfigString is that we can set this on
> older servers too, so people do not have to upgrade their servers to use
> this. Old servers will not have any validation, but that is ok, sssd
> must be prepared to receive a bad list and deal with it appropriately
> anyway.
>

No more 'ipaConfigString' attribute values, please. Me and everyone else 
fixing e.g. replication issues can relate to the pain of doing CRUD 
operations involving them.

If the admin wishes old servers to server new clients this information, 
all he has to do is upgrade a single replica, set the attribute value 
there and let replication take care of the rest. Yes, the management CLI 
will not be available on the old masters but that is the case of new 
features anyway.

>
> The second one is something we *may* address later, and use the setting
> in cn=ipaConfig as a default, but there are two reasons why I think a
> setting applicable to just a host group makes sense:
> - it allows to test the setting on a small set of machines to see if
> everything works right, this is going to be especially important on
> existing setups, where people do not want to risk all machines
> misbehaving at once if something goes wrong.
> - it allows to migrate machines slowly, in some cases people may need to
> change local files/application settings on machines if the usernames
> change, so they may need a controlled roll out before changing a setting
> globally.
>
> This may achieved by adding this setting to an ID View for example, then
> only hosts in that IDView would get this. Or a new object could be
> created that has members, the former has the advantage of being already
> in place and SSSD already downloads that data, the latter allows to
> target an even smaller set of hosts unrelated to previous ID views
> settings.
>
> Simo.
>

That is an interesting proposal but I am afraid we may not get to 
implement that during 4.5 development. I can certainly mention the 
possibility in the design so that we can return to it when a need arises.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list