[Freeipa-devel] [DESIGN] Server Roles

Martin Babinsky mbabinsk at redhat.com
Fri Apr 8 15:26:20 UTC 2016 

On 04/07/2016 10:28 AM, Petr Spacek wrote:
> On 6.4.2016 16:37, Martin Babinsky wrote:
>> On 03/21/2016 09:28 AM, Jan Cholasta wrote:
>>> On 17.3.2016 18:16, Martin Babinsky wrote:
>>>> Hi list,
>>>>
>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>>>> design document concerning the concept of Server Roles as a
>>>> user-friendly abstraction of the services running on IPA masters.
>>>>
>>>> The main aim of this feature is to provide a higher level interface to
>>>> query and manipulate service-related information stored in dirsrv
>>>> backend.
>>>>
>>>> I have not touched the design much from the post-Devconf session, mainly
>>>> because there are some points to clarify and agree upon.
>>>>
>>>> I have the following points to discuss:
>>>>
>>>> 1.) the design assumes that there is a distinction between roles such as
>>>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>>>> master, CRL master, etc. Now in the hindsight I think this distinction
>>>> is quite artificial and just clutters the interface unnecessarily. We
>>>> might implement this kind of hierarchy in the code itself but that is
>>>> something the user needs not be aware of.
>>>
>>> These shouldn't be (sub-)roles at all - they are inherently a
>>> one-to-many relationship between the logical services and servers,
>>> whereas roles are many-to-many relationship between the logical services
>>> and servers. I would rather see them exposed in the global service
>>> config, such as:
>>>
>>> $ ipa dnsconfig-mod --sec-master=ipa12.example.com
>>>     DNSSEC master: ipa12.example.com
>>>
>>>>
>>>> 2.) I guess the role names should be case insensitive so that users are
>>>> not hindered by trying to get the case right.
>>>
>>> +1
>>>
>>>>
>>>> 3.) Do we need an internal API call which will add all services
>>>> belonging to a role to the corresponding master entry? (basically a
>>>> 'server_add_role' type of command). Currently, each service instance
>>>> adds its own service entry during service installation so we probably do
>>>> not need to duplicate this functionality.
>>>
>>> +1, we don't need more duplicate code.
>>>
>>>>
>>>> That is all I can think of right now. I had many more questions popping
>>>> up during this night's bout of insomnia, but they got lost during the
>>>> day.
>>>
>>> How are we going to expose the different states of server roles? They
>>> can be:
>>>
>>> a) available/unavailable (the package providing the role was/was not
>>> installed on the server)
>>> b) configured/unconfigured (the installer for the role was/was not
>>> successfully run on the server, LDAP service entries exist)
>>> c) enabled/disabled
>>>
>>> My preference would be to make server-role commands work on top of
>>> available services, like this:
>>>
>>> # ipa server-role-show $HOSTNAME DNS
>>> ipa: ERROR: DNS: server role not found
>>>
>>> # dnf install freeipa-server-dns
>>> ...
>>>
>>> # ipa server-role-show $HOSTNAME DNS
>>>     Name: DNS
>>>     Configured: False
>>>     Enabled: False
>>>
>>> # ipa-dns-install
>>> ...
>>>
>>> # ipa server-role-show $HOSTNAME DNS
>>>     Name: DNS
>>>     Configured: True
>>>     Enabled: True
>>>
>>>>
>>>> Do not be afraid to bring up other questions/remarks/comments. This is
>>>> my first design documents so I expect them to be plenty.
>>>
>>> The CLI commands are a little bit self-inconsistent, see any other
>>> plugin for how the general layout of arguments should look like.
>>>
>>
>> I have updated the design page[1] according to the comments gathered in this
>> thread and offline discussion with principal reviewer, e.g. Jan.
>>
>> Again comments are welcome.
>>
>> [1] http://www.freeipa.org/page/V4/Server_Roles
>
> Hi,
>
> I wonder if proposed service list->role and ipaConfigString value->server
> attribute mappings will work for DNSSEC key master.
>
> DNS server consist of named-pkcs11 and ipa-dnskeysyncd services.
> DNSSEC key master adds opendnssec and ipa-ods-exporter services.
>
> Can this be represented in the described model? I'm not sure.
>
Yes that is something I was not quite sure about whether DNSSec master 
is more defined by the presence of ipaConfigString or by presence of 
relevant service entries.

We can do both approaches since the mapping between roles/attributes and 
service entries has to be quite flexible anyway.

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list