[Freeipa-devel] [DESIGN] Server Roles

Jan Cholasta jcholast at redhat.com
Tue Apr 12 10:57:41 UTC 2016 

On 12.4.2016 10:45, Petr Spacek wrote:
> On 12.4.2016 09:31, Martin Babinsky wrote:
>> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>>> Hi list,
>>>
>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>>> design document concerning the concept of Server Roles as a
>>> user-friendly abstraction of the services running on IPA masters.
>>>
>>> The main aim of this feature is to provide a higher level interface to
>>> query and manipulate service-related information stored in dirsrv backend.
>>>
>>> I have not touched the design much from the post-Devconf session, mainly
>>> because there are some points to clarify and agree upon.
>>>
>>> I have the following points to discuss:
>>>
>>> 1.) the design assumes that there is a distinction between roles such as
>>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>>> master, CRL master, etc. Now in the hindsight I think this distinction
>>> is quite artificial and just clutters the interface unnecessarily. We
>>> might implement this kind of hierarchy in the code itself but that is
>>> something the user needs not be aware of.
>>>
>>> 2.) I guess the role names should be case insensitive so that users are
>>> not hindered by trying to get the case right.
>>>
>>> 3.) Do we need an internal API call which will add all services
>>> belonging to a role to the corresponding master entry? (basically a
>>> 'server_add_role' type of command). Currently, each service instance
>>> adds its own service entry during service installation so we probably do
>>> not need to duplicate this functionality.
>>>
>>> That is all I can think of right now. I had many more questions popping
>>> up during this night's bout of insomnia, but they got lost during the day.
>>>
>>> Do not be afraid to bring up other questions/remarks/comments. This is
>>> my first design documents so I expect them to be plenty.
>>>
>> Hi list,
>>
>> We had a discussion with Petr Spacek and Jan Cholasta about the possible
>> utilization of server role implementation for the generation of location
>> specific DNAME records.[1]
>>
>> The thing that would make Petr's life a bit easier is a plugin that would
>> associate a certain role with a set of DNS RRs and would be able to spew out
>> configured RRs for all masters on which the role is enabled.
>>
>> For example, for the implicit "IPA Master" role we would spit out all
>> configured LDAP/Kerberos/Kpasswd SRV records.
>>
>> I have updated the design[2] to include CLI commands that will to this job,
>> although I think it would be enough to just have them in API and to not expose
>> them on the command line. Let me know what you think.
>
> I agree. Even user-visible API can be too much. Can we make this purely
> internal interface?

+1, these should be commands at all, but rather a new type of plugin.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list