On 03/18/2016 10:47 AM, Martin Babinsky wrote: > On 03/18/2016 10:21 AM, Martin Kosek wrote: >> On 03/17/2016 06:16 PM, Martin Babinsky wrote: >>> Hi list, >>> >>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design >>> document concerning the concept of Server Roles as a user-friendly >>> abstraction >>> of the services running on IPA masters. >>> >>> The main aim of this feature is to provide a higher level interface to query >>> and manipulate service-related information stored in dirsrv backend. >>> >>> I have not touched the design much from the post-Devconf session, mainly >>> because there are some points to clarify and agree upon. >> >> Initial thoughts: >> >> * Use Cases: these are rather vague points what you want to implement. In Use >> Case section, I would like to see what specific *user* use cases you are >> addressing, i.e. what user problems you are solving. Ideally in a form of a >> user story. Like here: >> >> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases >> or here: >> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases >> or here: >> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases >> > Ok I will thing of some clearer points. > >>> I have the following points to discuss: >>> >>> 1.) the design assumes that there is a distinction between roles such as DNS >>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, >>> CRL >>> master, etc. Now in the hindsight I think this distinction is quite >>> artificial >>> and just clutters the interface unnecessarily. We might implement this kind >>> of >>> hierarchy in the code itself but that is something the user needs not be >>> aware of. >> >> Well, there are dependencies. A server cannot be a CRL master without also >> being a CA role. I assume same applies to DNSSEC master. >> >> I think we need to think more about distinguishing what is role, what is just >> an attribute of a role, etc. AD for example distinguishes roles, role service >> and features: >> >> https://technet.microsoft.com/en-us/library/cc754923.aspx >> > We will have to implement the role/subrole/unicorn hierarchy anyhow. What I > would like to discuss is whether it is necessary to expose this hierarchy to > the users. Consider a case when user wants to find which server is a CA > renewal > master: > > ipa server-role-find "CA renewal master" > > vs. > > ipa server-role-find --subrole "Renewal master" > > Behind the scenes, the code has to do the same thing (e.g. issue a search > using > (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), > but the UX is a bit different.
Well, even the LDAP structure is different in this case. CA role is an object in cn=masters, caRenewalMaster is it's property. So they will likely be different user objects too. For your example, I can image a search like that: $ ipa server-role-find "CA" --subrole "renewal-master" (for the case when you have "DNS" role also with "renewal-master" sub-role). Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code