[Freeipa-devel] [RFE] Support for automember rebuild membership
Rob Crittenden
rcritten at redhat.com
Thu Sep 12 19:23:46 UTC 2013
Dmitri Pal wrote:
> On 09/12/2013 01:59 PM, Ana Krivokapic wrote:
>> Hello,
>>
>> The design document for $SUBJECT can be found at:
>> http://www.freeipa.org/page/V3/Automember_rebuild_membership
>>
>> Related tickets:
>> https://fedorahosted.org/freeipa/ticket/3752
>> https://fedorahosted.org/freeipa/ticket/3928
>>
>> Thoughts, comments, questions welcome.
>>
> The names for commands are a bit long.
> I am not sure we need all the commands.
>
> $ ipa automember-rebuild-membership --type=group
>
> I do not understand why type is "group".
> If you say that all the user group memberships will be rebuilt then the
> type is "user".
> But then you can really not have the command at all and use just:
>
> ipa user-automembership
> and
> ipa host-automembership
>
> If in future we have other objects we would add another command for
> those objects.
>
> so
> ipa user-automembership --update
> will update group memberships for all users, or may be it should be
> ipa user-automembership --update *
> (I do not know what are the rules in the framework, we should follow them)
>
> ipa user-automember --update LOGIN
> will update group memberships for a specific user
>
> Now we need to differentiate --update and --reset
> --update should update group membership based on the existing filters,
> i.e. based on the automember plugin configuration only add missing
> memberships (if any)
> --reset should clean existing memberships and rebuild them based only
> the default groups + automember. It should pretty much mean "make group
> memberships as if the user was just added".
>
> Makes sense or I am missing something?
Her design is consistent with the current automember commands.
I think I'd drop the -membership part though, automember-rebuild is
sufficient. For user/host perhaps user-automember-rebuild.
I disagree with your update/reset suggestions.
Unless a user is doing ALL of its group/hostgroup management via
automember rules then the reset command will almost always do the wrong
thing. This could raise all sorts of strange permission issues too, as
we'd have to use the currently bound user to do the group membership
removal. We can separately add delegation to create an automember
rebuild task, and that runs as DM IIRC.
I think I prefer rebuild to update, though update is probably a better
description to what is happening under the hood.
rob
More information about the Freeipa-devel
mailing list