[Freeipa-users] Policy functionality of 2.0 requirements dropped?

Sean Brady sbrady at gtfservices.com
Tue May 4 00:30:42 UTC 2010


On 05/03/2010 05:58 PM, Dmitri Pal wrote:
> Sean Brady wrote:
>    
>> On 05/03/2010 04:32 PM, Stephen Gallagher wrote:
>>      
>>> On 05/03/2010 06:11 PM, Sean Brady wrote:
>>>        
>>>> I just checked out the requirements document for 2.0 again and I see
>>>> that the policy and audit sections indicate that those requirements
>>>> have
>>>> been dropped. I didn't see anything on this list about that, although I
>>>> admit I haven't had time to follow that closely.
>>>>
>>>> Can anyone comment on why these have been dropped, and what would
>>>> replace that functionality? One area of specific concern would be the
>>>> removal of 1.3.8, "Integrate machine into the existing network by
>>>> downloading and applying policies related to the machine (network
>>>> settings, policy, printers)"...
>>>>
>>>> Thanks all.
>>>>
>>>>
>>>>          
>>> You could try Puppet (http://puppet.reductivelabs.com/), which provides
>>> most of the functionality IPA v2 was originally going to provide.
>>>
>>>
>>>        
>>
>> I was just curious as to the reasoning behind the change. I'm not
>> really that upset about it or anything, except for the configuration
>> download part. That was something that I was really looking forward
>> to. It was just a little bit of a shock to see that on the site
>> without seeing anything about it here first.
>>
>> And as for Puppet, I just can't bring myself to install Ruby on my
>> servers and give up the extra RAM that it needs. They are all tuned
>> VM's that use just enough resources. Perhaps I am succumbing to FUD,
>> but it's not worth it at this point. Maybe this change in direction
>> with FreeI will change that.
>>
>> Well, I suppose now we need to change the name to FreeI, since the PA
>> are gone :).
>>      
> This change happened quite some time ago.
> And as far as I recall there have been an announcement about it.
> We can dig archives but I remember writing about it.
>    

Works for me.  It must have been before I joined the ML and I just 
checked the website again.
> Also the web site has been updated several months ago to reflect the
> reality.
> The IPA is still IPA though. We are not going to change the name.
> The goal is ambitious but still doable.
> But the change of course is that for policy management we should not
> invent the wheel but rather integrate with one of the exiting
> system/configuration management solutions. And when time comes we will
> look in this.
>    

I 100% agree that there are lots of tools out there to do this job, and 
it doesn't make sense to re-invent the wheel.
> The same with the audit. The problem of audit needs to be solved with
> the open source solution eventually but currently this space is very
> crowded and we have not enough resources to solve I, P&  A at the same
> time. We realized that it is not realistic and decided to focus on I and
> make it right. There is plenty of work in this area that would be more
> interesting for everybody than trying to build audit. I am talking about
> cross domain trusts, key management, user authentication with the smart
> cards and other features that land on the I side.
>
>
>    
I hear the lack of resources as well.  It makes complete sense that the 
resources that we have are allocated into making the most important part 
of the package (the "I") work right.  I can do the "P" and the "A" right 
now separately.

Perhaps it makes sense to use rsyslog/rsyslogd for the logging, along 
with some tools like CFt/Func for the "P" and "A" (you know, the 
fantastic Red Hat ET suite +rsyslog) to start with.

Would it be of interest to the group for me to do a little leg work on a 
proposal for gathering all these tools together in a cohesive suite?  I 
still owe some documentation work on v2, but I've been busy with the 
"project that just wont die".

Thanks for your response and your hard work.




More information about the Freeipa-users mailing list