[Pki-devel] replication of new/modified profiles
Christina Fu
cfu at redhat.com
Thu Jul 3 16:18:59 UTC 2014
Actually, I did not know that this discussion was restricted to a
replicated ("clone") environment. My view was more for a general
organizational environment where there are multiple sub-ca's for
different departments (which are not necessarily clones, but some could
be) and there are two types of profiles:
1. centralized profiles (shared by all)
2. local profiles (customized by each department)
I think this view (let's adopt your term and call it proposal #4) is
more flexible in serving both non-clones and clones and yet retains the
simplicity.
You are right, Endi, about how "local profiles" don't necessarily have
to be on the disk. It's just a personal preference that I feel most
comfortable editing files directly than using ui's. I have never used
the java console to edit profiles. I don't know if there are others who
feel the same way. Maybe a market research on administrators is needed
here.
a few more comments in-line below...
On 07/02/2014 07:51 PM, Endi Sukma Dewata wrote:
> On 7/2/2014 1:09 PM, Christina Fu wrote:
>> In general, I think we all agree that putting profiles on ldap is a
>> good idea. However, in practice, I think we want to allow admins to
>> make changes to local files as they see fit.
>> Please see my in-line response below.
>
> This is probably something that the admins will have to adapt
> eventually. I think in a replicated environment we shouldn't treat
> each server as unique individuals with "local" settings in files
> (including profiles). From user's perspective all replicas should be
> (mostly) identical. An admin, agent, or end entity should be able to
> go to any replica and get the same services, see the same data, etc.
> For this to work consistently, we want to minimize possible
> misconfiguration, so the number of local files should be minimized.
> The configuration (including profiles) should gradually be moved to
> LDAP, and the CLI/UI will be the primary way to manage the configuration.
again, what I had in mind was a bunch of departments under the same
organization where they might want to share some but customize some.
>
> To help the transition, CLI like proposed by Fraser could provide the
> experience of editing a local file but it's actually stored on LDAP.
> Also in the future the UI could provide an intuitive interface to
> manage the profiles, so the admins will no longer need to memorize the
> syntax of profile configuration file.
Yes to the CLI's and UI's.
>
>> Perhaps we can view files v.s. ldap as "localized" v.s. "centralized"
>> instead of "system" v.s. "customized".
>> Again, the benefit of putting profiles in ldap is so that it can be
>> configured once and utilized by many.
>> My comments below are based on such view.
>
> Let's call this proposal #4: Localized & centralized profiles. If I
> understand this correctly, as an example server1 may have local
> profile1 and profile2, server2 may have local profile1 and profile3,
> then we have centralized LDAP profile1 and profile4. The profile1 in
> server1, server2, and LDAP can be completely different although they
> share the same name.
Yes.
>
>>> 1. Continue to provide the system profiles in files. These files will
>>> be parsed and stored in LDAP when an instance is created.
>
>> if the ldap copies are the "centralized" ones, then we don't want to
>> override them at each installation of an instance. We could give admins
>> an option to override what's stored in ldap during configuration.
>
> I think the process to import the system profiles into LDAP should be
> done only once regardless of the number of replicas. Otherwise,
> suppose we removed one of the centralized profile (e.g. profile1), it
> might get added again when we install another replica.
With proper access control in place, we should allow admins to do what
they want to do in a reasonably convenient way.
>
>> When a profile with the same id exists in both ldap and local system,
>> then by default the one on ldap takes precedence. Although we could add
>> "per profile" config param for each instance to change the view
>> (remember the unix ns/yp config where you can set the order of the
>> source? so if "file" is 1st in the order, then the local ones have
>> priority, etc.)
>
> I don't have a lot of experience as system admin, but I think managing
> individual machines is difficult so NIS (or LDAP, NFS, DNS, etc.) is
> used to transition to a centrally managed system. The order of sources
> is set up such that eventually everything can be moved into a single
> source. For example, once we have NIS, we add new users in NIS instead
> of locally on each machine (unless absolutely necessary) even if a
> user might use a specific machine only.
again, I wasn't thinking of a strictly cloned environment.
>
>> With this, a site that has carefully crafted their profiles and stored
>> in ldap to share among all ca instances don't have to bother changing
>> anything for each ca instance created (because they are default to the
>> ldap).
>> Upgrade will also not affect the ldap copies inadvertently.
>
>>> 2. All profiles for an instance should live in LDAP. This makes it
>>> simple - no need to check to see if a profile is in LDAP or files or
>>> both, and which has priority etc. Tools will be provided to manage/
>>> create/delete profiles etc.
>
>> It might be simple, but we need to think about what's the value of them
>> existing in ldap and not being shared by others.
>
> What is the use case for having local profiles that will not or cannot
> be shared with other replicas? If sharing the profile doesn't pose any
> problem we might as well store "local" profiles in LDAP so they can be
> handled more consistently.
again, I wasn't thinking of a strictly cloned environment.
>
>>> 3. Updates to system profile files will not affect the existing LDAP
>>> profiles. We can provide update scripts or manual instructions for
>>> admins to run when they opt to do so. This will be for behavioral
>>> changes.
>
>> so, in the view I specified above, update to the "local" profiles will
>> only affect the instance where they exist, however, we can allow option
>> for admins to "publish" to ldap.
>
> The problem with local profiles in files is that they are not
> replicated, so in case the machine is hosed, all local settings is
> gone, including the profiles. Unless the admin created a backup for
> each machine, it will be difficult to restore the machine quickly. The
> replicated LDAP profiles will take care of this problem automatically.
> In other proposals the system profiles in files are read-only and not
> customizable, so there's no local profiles that need to be backed up.
>
If they don't do backups, losing profiles would not be their only issue
there. But anyway, like I said above, I think putting "local" profiles
in the lda is fine. It's just the user experience of administration
that has to change. I have no opinion on this other than stating my
personal preference of editing files directly ;-)
More information about the Pki-devel
mailing list