[Freeipa-devel] [DESIGN] Server Roles

Martin Babinsky mbabinsk at redhat.com
Wed Apr 6 14:37:25 UTC 2016 

On 03/21/2016 09:28 AM, Jan Cholasta wrote:
> On 17.3.2016 18:16, Martin Babinsky wrote:
>> Hi list,
>>
>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>> design document concerning the concept of Server Roles as a
>> user-friendly abstraction of the services running on IPA masters.
>>
>> The main aim of this feature is to provide a higher level interface to
>> query and manipulate service-related information stored in dirsrv
>> backend.
>>
>> I have not touched the design much from the post-Devconf session, mainly
>> because there are some points to clarify and agree upon.
>>
>> I have the following points to discuss:
>>
>> 1.) the design assumes that there is a distinction between roles such as
>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>> master, CRL master, etc. Now in the hindsight I think this distinction
>> is quite artificial and just clutters the interface unnecessarily. We
>> might implement this kind of hierarchy in the code itself but that is
>> something the user needs not be aware of.
>
> These shouldn't be (sub-)roles at all - they are inherently a
> one-to-many relationship between the logical services and servers,
> whereas roles are many-to-many relationship between the logical services
> and servers. I would rather see them exposed in the global service
> config, such as:
>
> $ ipa dnsconfig-mod --sec-master=ipa12.example.com
>    DNSSEC master: ipa12.example.com
>
>>
>> 2.) I guess the role names should be case insensitive so that users are
>> not hindered by trying to get the case right.
>
> +1
>
>>
>> 3.) Do we need an internal API call which will add all services
>> belonging to a role to the corresponding master entry? (basically a
>> 'server_add_role' type of command). Currently, each service instance
>> adds its own service entry during service installation so we probably do
>> not need to duplicate this functionality.
>
> +1, we don't need more duplicate code.
>
>>
>> That is all I can think of right now. I had many more questions popping
>> up during this night's bout of insomnia, but they got lost during the
>> day.
>
> How are we going to expose the different states of server roles? They
> can be:
>
> a) available/unavailable (the package providing the role was/was not
> installed on the server)
> b) configured/unconfigured (the installer for the role was/was not
> successfully run on the server, LDAP service entries exist)
> c) enabled/disabled
>
> My preference would be to make server-role commands work on top of
> available services, like this:
>
> # ipa server-role-show $HOSTNAME DNS
> ipa: ERROR: DNS: server role not found
>
> # dnf install freeipa-server-dns
> ...
>
> # ipa server-role-show $HOSTNAME DNS
>    Name: DNS
>    Configured: False
>    Enabled: False
>
> # ipa-dns-install
> ...
>
> # ipa server-role-show $HOSTNAME DNS
>    Name: DNS
>    Configured: True
>    Enabled: True
>
>>
>> Do not be afraid to bring up other questions/remarks/comments. This is
>> my first design documents so I expect them to be plenty.
>
> The CLI commands are a little bit self-inconsistent, see any other
> plugin for how the general layout of arguments should look like.
>

I have updated the design page[1] according to the comments gathered in 
this thread and offline discussion with principal reviewer, e.g. Jan.

Again comments are welcome.

[1] http://www.freeipa.org/page/V4/Server_Roles

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list