On 24.5.2016 09:26, Alexander Bokovoy wrote:
> On Tue, 24 May 2016, Petr Spacek wrote:
>>>>>> Speaking of certs, should we introduce a aliases for host entries to 
>>>>>> avoid
>>>>>> the
>>>>>> need of fake hosts?
>>>>> These 'fake hosts' are as good as aliases, even better, because they
>>>>> allow us to have full control over who can manage them.
>>>>
>>>> I do not see how this is different from any other object which has 
>>>> managedBy
>>>> attribute. It is not a special property of host.
>>> We have managedBy handling in hosts and services specifically to allow
>>> certificate issuing on behalf of another entity.
>>
>> I'm still not convinced that 'we historically do it this way' is good enough
>> justification for using fake host objects instead of tailored aliases.
> I'm not sure it is good to add that. Note that host objects can be used
> to provide a lot more than just mere aliases:
> - they can have services associated, with both Kerberos keys and
>   certificates
> - they can be used to target HBAC rules against them which will be
>   extremely useful when we'll get Authentication Indicators management
>   in place
> 
> Having "fake" host objects is also crucial for clustered services.

Let me clarify this:
I'm not saying that we should drop host object completely.

I'm saying that 1 host should have exactly 1 host object + 0..n alises
pointing to the host object.

HBAC etc. can be set on the 'canonical' object, of course. Alias simply makes
possible to automate things like 'get certificate will all associated names in
SAN' etc. without manual procedures.

This would make it easy to distinguish what is canonical name and what is mere
alias. That will get handy e.g. when a host is deleted - it would allow us to
delete all aliases with host etc.


Alternative technical approach is to add aliases to an host's attribute and
use it from there. I suspect that this would be less flexible and less
future-proof.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to