On 12.4.2016 09:31, Martin Babinsky wrote:
> On 03/17/2016 06:16 PM, Martin Babinsky wrote:
>> Hi list,
>> here is a link (http://www.freeipa.org/page/V4/Server_Roles) to WIP
>> design document concerning the concept of Server Roles as a
>> user-friendly abstraction of the services running on IPA masters.
>> The main aim of this feature is to provide a higher level interface to
>> query and manipulate service-related information stored in dirsrv backend.
>> I have not touched the design much from the post-Devconf session, mainly
>> because there are some points to clarify and agree upon.
>> I have the following points to discuss:
>> 1.) the design assumes that there is a distinction between roles such as
>> DNS server, CA, etc. and the more specific sub-roles such as DNSSec key
>> master, CRL master, etc. Now in the hindsight I think this distinction
>> is quite artificial and just clutters the interface unnecessarily. We
>> might implement this kind of hierarchy in the code itself but that is
>> something the user needs not be aware of.
>> 2.) I guess the role names should be case insensitive so that users are
>> not hindered by trying to get the case right.
>> 3.) Do we need an internal API call which will add all services
>> belonging to a role to the corresponding master entry? (basically a
>> 'server_add_role' type of command). Currently, each service instance
>> adds its own service entry during service installation so we probably do
>> not need to duplicate this functionality.
>> That is all I can think of right now. I had many more questions popping
>> up during this night's bout of insomnia, but they got lost during the day.
>> Do not be afraid to bring up other questions/remarks/comments. This is
>> my first design documents so I expect them to be plenty.
> Hi list,
> We had a discussion with Petr Spacek and Jan Cholasta about the possible
> utilization of server role implementation for the generation of location
> specific DNAME records.[1]
> The thing that would make Petr's life a bit easier is a plugin that would
> associate a certain role with a set of DNS RRs and would be able to spew out
> configured RRs for all masters on which the role is enabled.
> For example, for the implicit "IPA Master" role we would spit out all
> configured LDAP/Kerberos/Kpasswd SRV records.
> I have updated the design[2] to include CLI commands that will to this job,
> although I think it would be enough to just have them in API and to not expose
> them on the command line. Let me know what you think.

I agree. Even user-visible API can be too much. Can we make this purely
internal interface?

> [1] http://www.freeipa.org/page/V4/DNS_Location_Mechanism
> [2] http://www.freeipa.org/page/V4/Server_Roles

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to