On 03/18/2016 10:47 AM, Martin Babinsky wrote:
> On 03/18/2016 10:21 AM, Martin Kosek wrote:
>> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>>> Hi list,
>>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design
>>> document concerning the concept of Server Roles as a user-friendly 
>>> abstraction
>>> of the services running on IPA masters.
>>> The main aim of this feature is to provide a higher level interface to query
>>> and manipulate service-related information stored in dirsrv backend.
>>> I have not touched the design much from the post-Devconf session, mainly
>>> because there are some points to clarify and agree upon.
>> Initial thoughts:
>> * Use Cases: these are rather vague points what you want to implement. In Use
>> Case section, I would like to see what specific *user* use cases you are
>> addressing, i.e. what user problems you are solving. Ideally in a form of a
>> user story. Like here:
>> http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases
>> or here:
>> http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases
>> or here:
>> http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases
> Ok I will thing of some clearer points.
>>> I have the following points to discuss:
>>> 1.) the design assumes that there is a distinction between roles such as DNS
>>> server, CA, etc. and the more specific sub-roles such as DNSSec key master, 
>>> CRL
>>> master, etc. Now in the hindsight I think this distinction is quite 
>>> artificial
>>> and just clutters the interface unnecessarily. We might implement this kind 
>>> of
>>> hierarchy in the code itself but that is something the user needs not be
>>> aware of.
>> Well, there are dependencies. A server cannot be a CRL master without also
>> being a CA role. I assume same applies to DNSSEC master.
>> I think we need to think more about distinguishing what is role, what is just
>> an attribute of a role, etc. AD for example distinguishes roles, role service
>> and features:
>> https://technet.microsoft.com/en-us/library/cc754923.aspx
> We will have to implement the role/subrole/unicorn hierarchy anyhow. What I
> would like to discuss is whether it is necessary to expose this hierarchy to
> the users. Consider a case when user wants to find which server is a CA 
> renewal
> master:
> ipa server-role-find "CA renewal master"
> vs.
> ipa server-role-find --subrole "Renewal master"
> Behind the scenes, the code has to do the same thing (e.g. issue a search 
> using
> (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))),
> but the UX is a bit different.

Well, even the LDAP structure is different in this case. CA role is an object
in cn=masters, caRenewalMaster is it's property. So they will likely be
different user objects too.

For your example, I can image a search like that:

$ ipa server-role-find "CA" --subrole "renewal-master"

(for the case when you have "DNS" role also with "renewal-master" sub-role).


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to