[Freeipa-users] Auto membership plugin

Dmitri Pal dpal at redhat.com
Mon Apr 11 17:25:10 UTC 2011 

On 04/11/2011 11:27 AM, Nathan Kinder wrote:
> On 04/08/2011 09:07 AM, Dmitri Pal wrote:
>> On 04/08/2011 11:49 AM, JR Aquino wrote:
>>> Is there any way to capture a description associated with the regex
>>> ->  group mapping?
>>>
>>> I was thinking that after time, it would be important to look back
>>> on rules and know why they were put there.
>>>
>>> Particularly in the case of regex, since it may not be completely
>>> obvious by looking back at alphabet soup.
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>> The more I think about current design the more I want to normalize
>> things.
>> I would rather instead of:
>>
>> dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
>> objectclass: autoMemberDefinition
>> autoMemberScope: dc=example,dc=com
>> autoMemberFilter: objectclass=ipaHost
>> autoMemberExclusiveRegex:
>> cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www5\.example\.com
>> autoMemberInclusiveRegex:
>> cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^www[1-9]+\.example\.com
>> autoMemberInclusiveRegex:
>> cn=webservers,cn=hostgroups,dc=example,dc=com:fqdn=^web[1-9]+\.example\.com
>> autoMemberInclusiveRegex:
>> cn=mailservers,cn=hostgroups,dc=example,dc=com:fqdn=^mail[1-9]+\.example\.com
>> autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com
>> autoMemberGroupingAttr: member:dn
>>
>>
>> Have something like:
>>
>> dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
>> objectclass: autoMemberDefinition
>> objectclass: cnContainer
>> autoMemberScope: dc=example,dc=com
>> autoMemberFilter: objectclass=ipaHost
>> autoMemberRegexRule: cn=Webserver Inclusion
>> Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
>> autoMemberRegexRule: cn=Mailserver Inclusion
>> Rule,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
>> autoMemberRegexRule: cn=Desktop exclusion Rule,cn=Hostgroups,cn=Auto
>> Membership Plugin,cn=plugins,cn=config
>> autoMemberDefaultGroup: cn=orphans,cn=hostgroups,dc=example,dc=com
>> autoMemberGroupingAttr: member:dn
>>
>>
>> dn: cn=Webserver Inclusion Rule,cn=Hostgroups,cn=Auto Membership
>> Plugin,cn=plugins,cn=config
>> objectclass: autoMemberDefinitionRegexRule
>> cn: Webserver Inclusion Rule
>> description: Rule contains regular expression to include webserver
>> hosts into the webserver group.
>> include: yes<- include or exclude
>> memberGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
>> arrtibuteToMath: fgdn
>> expressionToMatch: ^www[1-9]+\.example\.com
>>
>>
>> Or something along those lines...
> It's a nice logical layout, but it would be hard for an administrator
> to figure out what exactly would happen if they were to add a host
> with a specific hostname.  Since the config is spread over so many
> entries, one would have to look at the top level config entry to find
> each rule DN, fetch each rule DN to look at the regexes.  All of the
> information is so spread out that you can't just look in one place to
> see the rules that will be used.  This could make things difficult
> from a troubleshooting perspective.

This should not be viewed in raw. THe UI and CLi should come to the rescue.
I am not sure that this is a right approach to mix readability and
normalization.
To follow this logic no-one would ever normalize data in any DB due to
the claim that it would be hard to join tables. 

>
> The description issue is a tough one to deal with if we have the
> config in the form that is currently described in the design doc. 
> Since we want a description per regex rule, we should need to make the
> description be a part of the regex rule value instead of a separate
> description attribute.  I don't necessarily like this approach, as the
> readability of the config will not be nice.
>

I think this tips the scale towards the approach I proposed.

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list