[Freeipa-devel] [DESIGN] Server Roles

Petr Spacek pspacek at redhat.com
Tue Apr 12 08:45:19 UTC 2016 

On 12.4.2016 09:31, Martin Babinsky wrote:
> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>> Hi list,
>>
>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>> design document concerning the concept of Server Roles as a
>> user-friendly abstraction of the services running on IPA masters.
>>
>> The main aim of this feature is to provide a higher level interface to
>> query and manipulate service-related information stored in dirsrv backend.
>>
>> I have not touched the design much from the post-Devconf session, mainly
>> because there are some points to clarify and agree upon.
>>
>> I have the following points to discuss:
>>
>> 1.) the design assumes that there is a distinction between roles such as
>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>> master, CRL master, etc. Now in the hindsight I think this distinction
>> is quite artificial and just clutters the interface unnecessarily. We
>> might implement this kind of hierarchy in the code itself but that is
>> something the user needs not be aware of.
>>
>> 2.) I guess the role names should be case insensitive so that users are
>> not hindered by trying to get the case right.
>>
>> 3.) Do we need an internal API call which will add all services
>> belonging to a role to the corresponding master entry? (basically a
>> 'server_add_role' type of command). Currently, each service instance
>> adds its own service entry during service installation so we probably do
>> not need to duplicate this functionality.
>>
>> That is all I can think of right now. I had many more questions popping
>> up during this night's bout of insomnia, but they got lost during the day.
>>
>> Do not be afraid to bring up other questions/remarks/comments. This is
>> my first design documents so I expect them to be plenty.
>>
> Hi list,
> 
> We had a discussion with Petr Spacek and Jan Cholasta about the possible
> utilization of server role implementation for the generation of location
> specific DNAME records.[1]
> 
> The thing that would make Petr's life a bit easier is a plugin that would
> associate a certain role with a set of DNS RRs and would be able to spew out
> configured RRs for all masters on which the role is enabled.
> 
> For example, for the implicit "IPA Master" role we would spit out all
> configured LDAP/Kerberos/Kpasswd SRV records.
> 
> I have updated the design[2] to include CLI commands that will to this job,
> although I think it would be enough to just have them in API and to not expose
> them on the command line. Let me know what you think.

I agree. Even user-visible API can be too much. Can we make this purely
internal interface?

> [1] http://www.freeipa.org/page/V4/DNS_Location_Mechanism
> [2] http://www.freeipa.org/page/V4/Server_Roles
> 


-- 
Petr^2 Spacek

More information about the Freeipa-devel mailing list