[Freeipa-devel] [DESIGN] Server Roles

Petr Spacek pspacek at redhat.com
Mon Apr 11 09:06:02 UTC 2016 

On 8.4.2016 17:26, Martin Babinsky wrote:
> On 04/07/2016 10:28 AM, Petr Spacek wrote:
>> On 6.4.2016 16:37, Martin Babinsky wrote:
>>> On 03/21/2016 09:28 AM, Jan Cholasta wrote:
>>>> On 17.3.2016 18:16, Martin Babinsky wrote:
>>>>> Hi list,
>>>>>
>>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>>>>> design document concerning the concept of Server Roles as a
>>>>> user-friendly abstraction of the services running on IPA masters.
>>>>>
>>>>> The main aim of this feature is to provide a higher level interface to
>>>>> query and manipulate service-related information stored in dirsrv
>>>>> backend.
>>>>>
>>>>> I have not touched the design much from the post-Devconf session, mainly
>>>>> because there are some points to clarify and agree upon.
>>>>>
>>>>> I have the following points to discuss:
>>>>>
>>>>> 1.) the design assumes that there is a distinction between roles such as
>>>>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>>>>> master, CRL master, etc. Now in the hindsight I think this distinction
>>>>> is quite artificial and just clutters the interface unnecessarily. We
>>>>> might implement this kind of hierarchy in the code itself but that is
>>>>> something the user needs not be aware of.
>>>>
>>>> These shouldn't be (sub-)roles at all - they are inherently a
>>>> one-to-many relationship between the logical services and servers,
>>>> whereas roles are many-to-many relationship between the logical services
>>>> and servers. I would rather see them exposed in the global service
>>>> config, such as:
>>>>
>>>> $ ipa dnsconfig-mod --sec-master=ipa12.example.com
>>>>     DNSSEC master: ipa12.example.com
>>>>
>>>>>
>>>>> 2.) I guess the role names should be case insensitive so that users are
>>>>> not hindered by trying to get the case right.
>>>>
>>>> +1
>>>>
>>>>>
>>>>> 3.) Do we need an internal API call which will add all services
>>>>> belonging to a role to the corresponding master entry? (basically a
>>>>> 'server_add_role' type of command). Currently, each service instance
>>>>> adds its own service entry during service installation so we probably do
>>>>> not need to duplicate this functionality.
>>>>
>>>> +1, we don't need more duplicate code.
>>>>
>>>>>
>>>>> That is all I can think of right now. I had many more questions popping
>>>>> up during this night's bout of insomnia, but they got lost during the
>>>>> day.
>>>>
>>>> How are we going to expose the different states of server roles? They
>>>> can be:
>>>>
>>>> a) available/unavailable (the package providing the role was/was not
>>>> installed on the server)
>>>> b) configured/unconfigured (the installer for the role was/was not
>>>> successfully run on the server, LDAP service entries exist)
>>>> c) enabled/disabled
>>>>
>>>> My preference would be to make server-role commands work on top of
>>>> available services, like this:
>>>>
>>>> # ipa server-role-show $HOSTNAME DNS
>>>> ipa: ERROR: DNS: server role not found
>>>>
>>>> # dnf install freeipa-server-dns
>>>> ...
>>>>
>>>> # ipa server-role-show $HOSTNAME DNS
>>>>     Name: DNS
>>>>     Configured: False
>>>>     Enabled: False
>>>>
>>>> # ipa-dns-install
>>>> ...
>>>>
>>>> # ipa server-role-show $HOSTNAME DNS
>>>>     Name: DNS
>>>>     Configured: True
>>>>     Enabled: True
>>>>
>>>>>
>>>>> Do not be afraid to bring up other questions/remarks/comments. This is
>>>>> my first design documents so I expect them to be plenty.
>>>>
>>>> The CLI commands are a little bit self-inconsistent, see any other
>>>> plugin for how the general layout of arguments should look like.
>>>>
>>>
>>> I have updated the design page[1] according to the comments gathered in this
>>> thread and offline discussion with principal reviewer, e.g. Jan.
>>>
>>> Again comments are welcome.
>>>
>>> [1] http://www.freeipa.org/page/V4/Server_Roles
>>
>> Hi,
>>
>> I wonder if proposed service list->role and ipaConfigString value->server
>> attribute mappings will work for DNSSEC key master.
>>
>> DNS server consist of named-pkcs11 and ipa-dnskeysyncd services.
>> DNSSEC key master adds opendnssec and ipa-ods-exporter services.
>>
>> Can this be represented in the described model? I'm not sure.
>>
> Yes that is something I was not quite sure about whether DNSSec master is more
> defined by the presence of ipaConfigString or by presence of relevant service
> entries.
> 
> We can do both approaches since the mapping between roles/attributes and
> service entries has to be quite flexible anyway.

This is up to you as long as we are able to represent it somehow :-)

-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list