Re: [Freeipa-devel] DESIGN: Recover DNA Ranges

Mon, 25 Feb 2013 07:13:04 -0800 

On 02/25/2013 06:09 AM, Martin Kosek wrote:

On 02/25/2013 01:44 PM, Petr Viktorin wrote:

On 02/22/2013 09:19 PM, Rob Crittenden wrote:

Design to allow one to recover DNA ranges when deleting a replica or
just for normal range management.

http://freeipa.org/page/V3/Recover_DNA_Ranges

Supporting ticket https://fedorahosted.org/freeipa/ticket/3321

rob

I wonder if it would be possible to have more on-deck ranges. Could
dnaNextRange be multi-valued, and when the low-water mark is hit the plugin
would pick one of them?


Not at the moment, this is a single valued attribute type:

attributetypes: ( 2.16.840.1.113730.3.1.2129 NAME 'dnaNextRange' DESC 'DNA ran
  ge of values to get from replica' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE
  -VALUE X-ORIGIN '389 Directory Server' )

But it is a good question for 389-ds guys, it would be a good extension to the
DNA plugin and would prevent us from not-loosing the range when there is no
master with empty dnaNextRange. But maybe there is a strong reason why this was
made single value...
If you make it multi-valued, then you probably want to have some sort of ordering to the values . . . 




As for the RFE, I have few comments/questions for Rob:

1) I would expand "Setting the on-deck range" section and add an information
what should we do when the remote master is not accessible (this would result
only in a warning probably).


2) We may want to make sure that the removed replica is readonly before we copy
the range (just to be sure that we do not miss some value due to race condition.


3) In "Enhancing ipa-replica-manage":

What does "ipa-replica-manage dnarange-set masterA.example.com 250-499" exactly
do? I though that it would just overwrite active range, but based on the next
"ipa-replica-manage dnanextrange-show" example, it moved the currently active
range of masterA.example.com to the on-deck range. Do we want to do that?


4) What does "NOTE: We will need to be clear that this range has nothing to do
with Trust ranges." actually mean? AFAIU, IPA should have all local ranges
covered with a local "idrange" range(s).

If it does not have it covered, it could happen that for example a new trust
would overlap with this user-defined local range and we would have colliding
POSIX IDs...

IMO, dnarange-set and dnanextrange-set should at first check if the range is
covered with some local idrange and only then allowed setting the new range.

Martin


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to