[Freeipa-devel] [DESIGN] Server Roles

Martin Babinsky mbabinsk at redhat.com
Tue Apr 12 07:31:03 UTC 2016 

On 03/17/2016 06:16 PM, Martin Babinsky wrote:
> Hi list,
>
> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
> design document concerning the concept of Server Roles as a
> user-friendly abstraction of the services running on IPA masters.
>
> The main aim of this feature is to provide a higher level interface to
> query and manipulate service-related information stored in dirsrv backend.
>
> I have not touched the design much from the post-Devconf session, mainly
> because there are some points to clarify and agree upon.
>
> I have the following points to discuss:
>
> 1.) the design assumes that there is a distinction between roles such as
> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
> master, CRL master, etc. Now in the hindsight I think this distinction
> is quite artificial and just clutters the interface unnecessarily. We
> might implement this kind of hierarchy in the code itself but that is
> something the user needs not be aware of.
>
> 2.) I guess the role names should be case insensitive so that users are
> not hindered by trying to get the case right.
>
> 3.) Do we need an internal API call which will add all services
> belonging to a role to the corresponding master entry? (basically a
> 'server_add_role' type of command). Currently, each service instance
> adds its own service entry during service installation so we probably do
> not need to duplicate this functionality.
>
> That is all I can think of right now. I had many more questions popping
> up during this night's bout of insomnia, but they got lost during the day.
>
> Do not be afraid to bring up other questions/remarks/comments. This is
> my first design documents so I expect them to be plenty.
>
Hi list,

We had a discussion with Petr Spacek and Jan Cholasta about the possible 
utilization of server role implementation for the generation of location 
specific DNAME records.[1]

The thing that would make Petr's life a bit easier is a plugin that 
would associate a certain role with a set of DNS RRs and would be able 
to spew out configured RRs for all masters on which the role is enabled.

For example, for the implicit "IPA Master" role we would spit out all 
configured LDAP/Kerberos/Kpasswd SRV records.

I have updated the design[2] to include CLI commands that will to this 
job, although I think it would be enough to just have them in API and to 
not expose them on the command line. Let me know what you think.

[1] http://www.freeipa.org/page/V4/DNS_Location_Mechanism
[2] http://www.freeipa.org/page/V4/Server_Roles

-- 
Martin^3 Babinsky

More information about the Freeipa-devel mailing list