[Freeipa-devel] [DESIGN] Server Roles

Jan Cholasta jcholast at redhat.com
Tue Apr 12 10:58:10 UTC 2016 

On 12.4.2016 12:57, Jan Cholasta wrote:
> On 12.4.2016 10:45, Petr Spacek wrote:
>> On 12.4.2016 09:31, Martin Babinsky wrote:
>>> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>>>> Hi list,
>>>>
>>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>>>> design document concerning the concept of Server Roles as a
>>>> user-friendly abstraction of the services running on IPA masters.
>>>>
>>>> The main aim of this feature is to provide a higher level interface to
>>>> query and manipulate service-related information stored in dirsrv
>>>> backend.
>>>>
>>>> I have not touched the design much from the post-Devconf session,
>>>> mainly
>>>> because there are some points to clarify and agree upon.
>>>>
>>>> I have the following points to discuss:
>>>>
>>>> 1.) the design assumes that there is a distinction between roles
>>>> such as
>>>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>>>> master, CRL master, etc. Now in the hindsight I think this distinction
>>>> is quite artificial and just clutters the interface unnecessarily. We
>>>> might implement this kind of hierarchy in the code itself but that is
>>>> something the user needs not be aware of.
>>>>
>>>> 2.) I guess the role names should be case insensitive so that users are
>>>> not hindered by trying to get the case right.
>>>>
>>>> 3.) Do we need an internal API call which will add all services
>>>> belonging to a role to the corresponding master entry? (basically a
>>>> 'server_add_role' type of command). Currently, each service instance
>>>> adds its own service entry during service installation so we
>>>> probably do
>>>> not need to duplicate this functionality.
>>>>
>>>> That is all I can think of right now. I had many more questions popping
>>>> up during this night's bout of insomnia, but they got lost during
>>>> the day.
>>>>
>>>> Do not be afraid to bring up other questions/remarks/comments. This is
>>>> my first design documents so I expect them to be plenty.
>>>>
>>> Hi list,
>>>
>>> We had a discussion with Petr Spacek and Jan Cholasta about the possible
>>> utilization of server role implementation for the generation of location
>>> specific DNAME records.[1]
>>>
>>> The thing that would make Petr's life a bit easier is a plugin that
>>> would
>>> associate a certain role with a set of DNS RRs and would be able to
>>> spew out
>>> configured RRs for all masters on which the role is enabled.
>>>
>>> For example, for the implicit "IPA Master" role we would spit out all
>>> configured LDAP/Kerberos/Kpasswd SRV records.
>>>
>>> I have updated the design[2] to include CLI commands that will to
>>> this job,
>>> although I think it would be enough to just have them in API and to
>>> not expose
>>> them on the command line. Let me know what you think.
>>
>> I agree. Even user-visible API can be too much. Can we make this purely
>> internal interface?
>
> +1, these should be commands at all, but rather a new type of plugin.

... should *not* be...

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list