On 6.4.2016 16:37, Martin Babinsky wrote: > On 03/21/2016 09:28 AM, Jan Cholasta wrote: >> On 17.3.2016 18:16, Martin Babinsky wrote: >>> Hi list, >>> >>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP >>> design document concerning the concept of Server Roles as a >>> user-friendly abstraction of the services running on IPA masters. >>> >>> The main aim of this feature is to provide a higher level interface to >>> query and manipulate service-related information stored in dirsrv >>> backend. >>> >>> I have not touched the design much from the post-Devconf session, mainly >>> because there are some points to clarify and agree upon. >>> >>> I have the following points to discuss: >>> >>> 1.) the design assumes that there is a distinction between roles such as >>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key >>> master, CRL master, etc. Now in the hindsight I think this distinction >>> is quite artificial and just clutters the interface unnecessarily. We >>> might implement this kind of hierarchy in the code itself but that is >>> something the user needs not be aware of. >> >> These shouldn't be (sub-)roles at all - they are inherently a >> one-to-many relationship between the logical services and servers, >> whereas roles are many-to-many relationship between the logical services >> and servers. I would rather see them exposed in the global service >> config, such as: >> >> $ ipa dnsconfig-mod --sec-master=ipa12.example.com >> DNSSEC master: ipa12.example.com >> >>> >>> 2.) I guess the role names should be case insensitive so that users are >>> not hindered by trying to get the case right. >> >> +1 >> >>> >>> 3.) Do we need an internal API call which will add all services >>> belonging to a role to the corresponding master entry? (basically a >>> 'server_add_role' type of command). Currently, each service instance >>> adds its own service entry during service installation so we probably do >>> not need to duplicate this functionality. >> >> +1, we don't need more duplicate code. >> >>> >>> That is all I can think of right now. I had many more questions popping >>> up during this night's bout of insomnia, but they got lost during the >>> day. >> >> How are we going to expose the different states of server roles? They >> can be: >> >> a) available/unavailable (the package providing the role was/was not >> installed on the server) >> b) configured/unconfigured (the installer for the role was/was not >> successfully run on the server, LDAP service entries exist) >> c) enabled/disabled >> >> My preference would be to make server-role commands work on top of >> available services, like this: >> >> # ipa server-role-show $HOSTNAME DNS >> ipa: ERROR: DNS: server role not found >> >> # dnf install freeipa-server-dns >> ... >> >> # ipa server-role-show $HOSTNAME DNS >> Name: DNS >> Configured: False >> Enabled: False >> >> # ipa-dns-install >> ... >> >> # ipa server-role-show $HOSTNAME DNS >> Name: DNS >> Configured: True >> Enabled: True >> >>> >>> Do not be afraid to bring up other questions/remarks/comments. This is >>> my first design documents so I expect them to be plenty. >> >> The CLI commands are a little bit self-inconsistent, see any other >> plugin for how the general layout of arguments should look like. >> > > I have updated the design page[1] according to the comments gathered in this > thread and offline discussion with principal reviewer, e.g. Jan. > > Again comments are welcome. > > [1] http://www.freeipa.org/page/V4/Server_Roles
Hi, I wonder if proposed service list->role and ipaConfigString value->server attribute mappings will work for DNSSEC key master. DNS server consist of named-pkcs11 and ipa-dnskeysyncd services. DNSSEC key master adds opendnssec and ipa-ods-exporter services. Can this be represented in the described model? I'm not sure. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code