[Freeipa-devel] [DESIGN] Server Roles
Petr Spacek
pspacek at redhat.com
Thu Apr 7 08:28:06 UTC 2016
On 6.4.2016 16:37, Martin Babinsky wrote:
> On 03/21/2016 09:28 AM, Jan Cholasta wrote:
>> On 17.3.2016 18:16, Martin Babinsky wrote:
>>> Hi list,
>>>
>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>>> design document concerning the concept of Server Roles as a
>>> user-friendly abstraction of the services running on IPA masters.
>>>
>>> The main aim of this feature is to provide a higher level interface to
>>> query and manipulate service-related information stored in dirsrv
>>> backend.
>>>
>>> I have not touched the design much from the post-Devconf session, mainly
>>> because there are some points to clarify and agree upon.
>>>
>>> I have the following points to discuss:
>>>
>>> 1.) the design assumes that there is a distinction between roles such as
>>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>>> master, CRL master, etc. Now in the hindsight I think this distinction
>>> is quite artificial and just clutters the interface unnecessarily. We
>>> might implement this kind of hierarchy in the code itself but that is
>>> something the user needs not be aware of.
>>
>> These shouldn't be (sub-)roles at all - they are inherently a
>> one-to-many relationship between the logical services and servers,
>> whereas roles are many-to-many relationship between the logical services
>> and servers. I would rather see them exposed in the global service
>> config, such as:
>>
>> $ ipa dnsconfig-mod --sec-master=ipa12.example.com
>> DNSSEC master: ipa12.example.com
>>
>>>
>>> 2.) I guess the role names should be case insensitive so that users are
>>> not hindered by trying to get the case right.
>>
>> +1
>>
>>>
>>> 3.) Do we need an internal API call which will add all services
>>> belonging to a role to the corresponding master entry? (basically a
>>> 'server_add_role' type of command). Currently, each service instance
>>> adds its own service entry during service installation so we probably do
>>> not need to duplicate this functionality.
>>
>> +1, we don't need more duplicate code.
>>
>>>
>>> That is all I can think of right now. I had many more questions popping
>>> up during this night's bout of insomnia, but they got lost during the
>>> day.
>>
>> How are we going to expose the different states of server roles? They
>> can be:
>>
>> a) available/unavailable (the package providing the role was/was not
>> installed on the server)
>> b) configured/unconfigured (the installer for the role was/was not
>> successfully run on the server, LDAP service entries exist)
>> c) enabled/disabled
>>
>> My preference would be to make server-role commands work on top of
>> available services, like this:
>>
>> # ipa server-role-show $HOSTNAME DNS
>> ipa: ERROR: DNS: server role not found
>>
>> # dnf install freeipa-server-dns
>> ...
>>
>> # ipa server-role-show $HOSTNAME DNS
>> Name: DNS
>> Configured: False
>> Enabled: False
>>
>> # ipa-dns-install
>> ...
>>
>> # ipa server-role-show $HOSTNAME DNS
>> Name: DNS
>> Configured: True
>> Enabled: True
>>
>>>
>>> Do not be afraid to bring up other questions/remarks/comments. This is
>>> my first design documents so I expect them to be plenty.
>>
>> The CLI commands are a little bit self-inconsistent, see any other
>> plugin for how the general layout of arguments should look like.
>>
>
> I have updated the design page[1] according to the comments gathered in this
> thread and offline discussion with principal reviewer, e.g. Jan.
>
> Again comments are welcome.
>
> [1] http://www.freeipa.org/page/V4/Server_Roles
Hi,
I wonder if proposed service list->role and ipaConfigString value->server
attribute mappings will work for DNSSEC key master.
DNS server consist of named-pkcs11 and ipa-dnskeysyncd services.
DNSSEC key master adds opendnssec and ipa-ods-exporter services.
Can this be represented in the described model? I'm not sure.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list