On 03/18/2016 10:21 AM, Martin Kosek wrote:
On 03/17/2016 06:16 PM, Martin Babinsky wrote:
Hi list,

here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP design
document concerning the concept of Server Roles as a user-friendly abstraction
of the services running on IPA masters.

The main aim of this feature is to provide a higher level interface to query
and manipulate service-related information stored in dirsrv backend.

I have not touched the design much from the post-Devconf session, mainly
because there are some points to clarify and agree upon.

Initial thoughts:

* Use Cases: these are rather vague points what you want to implement. In Use
Case section, I would like to see what specific *user* use cases you are
addressing, i.e. what user problems you are solving. Ideally in a form of a
user story. Like here:

http://www.freeipa.org/page/V4/User_Life-Cycle_Management#Use_Cases
or here:
http://www.freeipa.org/page/V4/Authentication_Indicators#Use_Cases
or here:
http://www.freeipa.org/page/V4/External_trust_to_AD#Use_Cases

Ok I will thing of some clearer points.

I have the following points to discuss:

1.) the design assumes that there is a distinction between roles such as DNS
server, CA, etc. and the more specific sub-roles such as DNSSec key master, CRL
master, etc. Now in the hindsight I think this distinction is quite artificial
and just clutters the interface unnecessarily. We might implement this kind of
hierarchy in the code itself but that is something the user needs not be aware 
of.

Well, there are dependencies. A server cannot be a CRL master without also
being a CA role. I assume same applies to DNSSEC master.

I think we need to think more about distinguishing what is role, what is just
an attribute of a role, etc. AD for example distinguishes roles, role service
and features:

https://technet.microsoft.com/en-us/library/cc754923.aspx

We will have to implement the role/subrole/unicorn hierarchy anyhow. What I would like to discuss is whether it is necessary to expose this hierarchy to the users. Consider a case when user wants to find which server is a CA renewal master:

ipa server-role-find "CA renewal master"

vs.

ipa server-role-find --subrole "Renewal master"

Behind the scenes, the code has to do the same thing (e.g. issue a search using (&(cn=CA)(ipaConfigString=enabledService)(ipaConfigString=caRenewalMaster))), but the UX is a bit different.

Martin



--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to