Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Martin Kosek 
On Thu, 2011-09-22 at 19:31 -0500, Endi Sukma Dewata wrote:
 On 9/22/2011 7:24 AM, Martin Kosek wrote:
  2) Some DNS records may be pretty large. MX record data is small, but
  for example CERT records have an entire certificate stored in it.
  Wouldn't there be a problem if we place the large DNS record in URL?
 
 This is how the DNS record list page could be redesigned:
 http://edewata.fedorapeople.org/images/dns-record-list-page.png
 
 It should resemble what you see in the zone file. The content can be 
 obtained with a single dnsresource-find operation.
 
 If you click one of the data, it would open a dialog box for that 
 particular record type. We will use the raw data as a primary key to 
 execute the dnsresource-rrtype-show command. Each attribute in this 
 record type will be displayed in separate fields:
 http://edewata.fedorapeople.org/images/dns-record-edit-dialog.png
 
 When you save it will call dnsresource-rrtype-mod and put the values 
 in separate parameters. It will still use the original raw data as 
 primary key, but we don't need to encode the new values into raw data.
 
 If we use a dialog box like this none of the attributes need to be added 
 into the URL. It will be passed internally via variables. If we use a 
 separate edit page (with a unique URL for each record), we might need to 
 specify the entire raw data in the URL, but maybe we can find a 
 workaround for CERT record. I'd prefer to use a dialog box because it 
 can be used for both add and modify.

I am not an UX designer, but I think this should work. Plus, as you
said, we wouldn't have to deal with large DNS records in URL problem.

 
  OPEN QUESTION: should we implement these new commands also for discrete
  DNS records types to be consistent? I mean for example A, , CNAME,
  PTR, ... They would look like
 
  ipa dnsrecord--add --ip-address=IPAddress
 
  BENEFITS of this approach (command per RR type):
  - use can get all help for RR type by simply typing ipa help
  dnsrecord-mx-add
  - we would be able to implement helper methods consistently on one
  place, for example:
  dnsrecord--add --from-mac=00:1D:BA:06:37:64
 
 If we have this for all record types the UI can use a generic code to 
 figure out which command to use. Everything will be in this pattern: 
 dnsrecord-rrtype-add/mod/del primary keys [parameters*]

So far, I didn't plan to implement also -del methods as deleting should
take the raw value as its primary key. dnsrecord-del does that already.
But if we find benefits of -del methods we can implement it.

 
  OPEN QUESTION: should we implement also -find methods
  (dnsrecord-mx-find) so that UI can for example populate text fields for
  all (MX) records for one DNS name?
 
 Depending on the UI design, it might not be needed. But it won't hurt to 
 have one in case the UI changes, for example suppose we want to have 
 separate tabs for each record type.

Lets start just with -show commands and implement -find if it is really
needed. I want to keep the number of DNS commands as small as possible.

 
  4) -mod commands shall be implemented for structured RR types:
  API would be almost the same as with -add commands. User (WebUI) would
  just have to identify which record should be modified:
  a) by copypassing the raw DNS value directly to the command:
 
  dnsrecord-mx-mod example.com @ 1 mx1.example.com. --preference=0
 
 The Web UI will use the JSON-RPC version of this command. As discussed 
 already, the non-interactive mode for CLI will be useful for writing 
 scripts or other applications that will invoke the CLI/API.
 
 Being able to specify the attributes in separate parameters means that 
 the client doesn't have to figure out how to encode the attributes into 
 a single raw data. They will be encoded consistently by the server.

Yes, there shouldn't be problems to script it.

 
  b) (CLI only) by using an interactive wizard that would let user choose
  the modified record like this way:
 
  dnsrecord-mx-mod example.com @ --preference=0
  Which record would you like to change?
  [1] 1 mx1.example.com.
  [2] 10 mx2.example.com.
  DNS record:user enters the number
 
 The interactive mode will be useful for people who have to use 
 text-based terminal.
 

Yep.

Thanks,
Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Martin Kosek 
On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:
 On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:
  OPEN QUESTION: should we implement these new commands also for discrete
  DNS records types to be consistent? I mean for example A, , CNAME,
  PTR, ... They would look like
 
  ipa dnsrecord--add --ip-address=IPAddress
 
  BENEFITS of this approach (command per RR type):
  - use can get all help for RR type by simply typing ipa help
  dnsrecord-mx-add
  - we would be able to implement helper methods consistently on one
  place, for example:
  dnsrecord--add --from-mac=00:1D:BA:06:37:64
 
  If we have this for all record types the UI can use a generic code to 
  figure out which command to use. Everything will be in this pattern: 
  dnsrecord-rrtype-add/mod/del primary keys [parameters*]
 
 We won't have it for all types, so we will need a map.  Most  will use 
 the old API, and a few will use the pattern above

I think to make this all as consistent as possible, new API shall be
implemented for all types (except unsupported and DNSSEC ones). Rob did
agree with this approach too.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-23 Thread Jakub Hrozek 
On Thu, Sep 22, 2011 at 09:59:01PM -0400, Dmitri Pal wrote:
 On 09/22/2011 03:37 AM, Jakub Hrozek wrote:
  On Thu, Sep 22, 2011 at 08:25:01AM +0200, Jan Cholasta wrote:
  On 21.9.2011 23:55, Dmitri Pal wrote:
  On 09/21/2011 10:27 AM, Adam Young wrote:
  On 09/20/2011 11:11 AM, Martin Kosek wrote:
  On Tue, 2011-09-20 at 10:02 -0400, Adam Young wrote:
  This discussion got me thinking, always a dangerous proposal:
 
  We are currently exposing record add with the lie  that  when you add a
  record, it has a type.  THe reality is that a record is just this big
  collection of multi value attributes, and each of those  is the type
  of the record.
  The way I see it is that we have different types of Resource Records
  with a (domain) name that can be shared.
 
  If all of the 'records'  have the same idnsname, then they really fall
  under the same Record object in LDAP.
  Yes.
 
  What if we focuses on the attribtutes themselves, and add the type info
  there.
  I thought we do this already.
 
  Pie in the sky proposal.   Treat it as a starting point:
 
From the webui perspective
  dnsrecord-add   allows the case where it just has the the idnsname with
  no records
 
  dnsrecordattr-mod  takes record type specific values.
 
  To add a location entry:
 
  ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT
  --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
  --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
  --v-precision=FLOAT
 
 
  And to remove it
 
  ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT
  --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
  --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
  --v-precision=FLOAT
  So if user would want to remove a LOC record, he would have to pass all
  these attributes to refer which attribute value to remove?
  I think that is the case anyway.  Since a DNS record is really just an
  multivalue attribute,   you would now have to do  a dns-record-mod
  with the list of all LOC records that you don't want to delete.  I
  used this as an example because it is the most complex case.
 
  Just thinking it through...I'm not certain I like the one command per
  record type  as it changes a lot of other assumptions.  DNS is a
  wierd beast already.
 
  I've spent a lot of time on the DNS ui, and it is pretty tricky  to
  get right.  I'm trying to balance the PI against efficient usage.
 
  What we really need for the fields is a way to specify the format for
  a given field, much like the format strings used for group names.  For
  example, the LOC  record  is really
 
  owner   TTL   class   LOC d1 [m1 [s1]] {N|S}  d2 [m2 [s2]]
  {E|W}
alt[m] [siz[m] [hp[m] [vp[m
 
 
  And all the WebUI needs is a way to specify that format  to validate.
 
  Can we use augeas for this?
  Augeas lenses use this kind of the validation and there is python
  binding so may be we should use augeas as an inspiration or ask for an
  augeas Javascript solution?
  We can't. Augeas knows how to manipulate config files and only that,
  there is no API for anything else.
 
  Some time ago I wrote a patch to extend Augeas to operate on arbitrary
  strings. I never had time to push it upstream, but I think I still have
  is somewhere.
 
  Not sure if this approach would help us anyway, we would still have to
  wait until this feature made it to RHEL and solve the JS bindings as
  well
 
 
 Yes I was thinking about this path at least as an inspiration.
 

OK, I've dug up and attached the patch.

Obviously it doesn't apply upstream anymore, but it is still a very good
starting point if someone wants to tackle this problem.
From 191110b81376f831b211e34f491a379d69c79cb0 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Wed, 25 Mar 2009 17:04:54 +0100
Subject: [PATCH] aug_lens_get

---
 src/augeas.c   |   29 +++
 src/augeas.h   |   20 
 src/augeas_sym.version |1 +
 src/augtool.c  |   16 ++
 src/internal.h |8 +++
 src/transform.c|  121 +--
 src/transform.h|4 ++
 7 files changed, 173 insertions(+), 26 deletions(-)

diff --git a/src/augeas.c b/src/augeas.c
index 192a79a..291906e 100644
--- a/src/augeas.c
+++ b/src/augeas.c
@@ -978,6 +978,35 @@ int aug_print(const struct augeas *aug, FILE *out, const 
char *pathin) {
 return result;
 }
 
+int aug_lens_get(augeas *aug, const char *path, const char *lens,
+ const char *txt, size_t txt_len) {
+char *text = NULL;
+int result = -1;
+
+/* append newline to the end of the string if needed */
+if (txt_len == 0 || txt[txt_len-1] != '\n') {
+if (ALLOC_N(text, txt_len+2)  0) {
+goto fini;
+}
+strcpy(text, txt);
+text[txt_len]   = '\n';
+text[txt_len+1] = '\0';
+txt_len += 2;
+} else {
+text = (char *)

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Adam Young 

On 09/23/2011 02:02 AM, Martin Kosek wrote:

On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:

On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:

OPEN QUESTION: should we implement these new commands also for discrete
DNS records types to be consistent? I mean for example A, , CNAME,
PTR, ... They would look like


ipa dnsrecord--add --ip-address=IPAddress

BENEFITS of this approach (command per RR type):
- use can get all help for RR type by simply typing ipa help
dnsrecord-mx-add
- we would be able to implement helper methods consistently on one
place, for example:
dnsrecord--add --from-mac=00:1D:BA:06:37:64

If we have this for all record types the UI can use a generic code to
figure out which command to use. Everything will be in this pattern:
dnsrecord-rrtype-add/mod/delprimary keys  [parameters*]

We won't have it for all types, so we will need a map.  Most  will use
the old API, and a few will use the pattern above

I think to make this all as consistent as possible, new API shall be
implemented for all types (except unsupported and DNSSEC ones). Rob did
agree with this approach too.

Martin




Lets proceed with caution here.  I think we can really complicate things 
with this approach.


From a UI perspective, we will have to tailor the  control to be used 
for any DNS record type that gets more than a single field.


From what I've seen, and the types we have to deal with thus far, only 
the SRV and MX records  are really used that much.  Lets implement for 
them  first and test it out.


For certificate based records,  DNS and otherwise, we want to get file 
upload working, as cut and paste etc is a PITA.  I'm not sure if we 
really need the Cert based records, but I suspect that, from a Dogtag 
perspective, there is a lot of things we could do with a tight 
integration of the two.  I can even see an API where we generate a Cert 
based record  from a Certificate Signing Request.



For A  and  records, we don't need a new API, we need a pattern.  
For A record  that pattern is:


\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b 




For  records that is:
/^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:!
((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/ 




Yep, they are nasty.  But that is going to be the case regardless of 
whether we use the new API or not.




Lets deal with these issues, and hold  the API explosion  until later.










___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Martin Kosek 
On Fri, 2011-09-23 at 10:46 -0400, Adam Young wrote:
 On 09/23/2011 02:02 AM, Martin Kosek wrote:
  On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:
  On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:
  OPEN QUESTION: should we implement these new commands also for discrete
  DNS records types to be consistent? I mean for example A, , CNAME,
  PTR, ... They would look like
 
  ipa dnsrecord--add --ip-address=IPAddress
  BENEFITS of this approach (command per RR type):
  - use can get all help for RR type by simply typing ipa help
  dnsrecord-mx-add
  - we would be able to implement helper methods consistently on one
  place, for example:
  dnsrecord--add --from-mac=00:1D:BA:06:37:64
  If we have this for all record types the UI can use a generic code to
  figure out which command to use. Everything will be in this pattern:
  dnsrecord-rrtype-add/mod/delprimary keys  [parameters*]
  We won't have it for all types, so we will need a map.  Most  will use
  the old API, and a few will use the pattern above
  I think to make this all as consistent as possible, new API shall be
  implemented for all types (except unsupported and DNSSEC ones). Rob did
  agree with this approach too.
 
  Martin
 
 
 
 Lets proceed with caution here.  I think we can really complicate things 
 with this approach.

Ok, lets see...

 
  From a UI perspective, we will have to tailor the  control to be used 
 for any DNS record type that gets more than a single field.
 
  From what I've seen, and the types we have to deal with thus far, only 
 the SRV and MX records  are really used that much.  Lets implement for 
 them  first and test it out.
 
 For certificate based records,  DNS and otherwise, we want to get file 
 upload working, as cut and paste etc is a PITA.  I'm not sure if we 
 really need the Cert based records, but I suspect that, from a Dogtag 
 perspective, there is a lot of things we could do with a tight 
 integration of the two.  I can even see an API where we generate a Cert 
 based record  from a Certificate Signing Request.
 

That's the benefit of command-per-type approach. We could implement some
helpers to dnsrecord-cert-add when file upload is ready or we specify a
way to cooperate with dogtag there.

 
 For A  and  records, we don't need a new API, we need a pattern.  
 For A record  that pattern is:
 
 \b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b
  
 
 
 
 For  records that is:
 /^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5!
 
}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/
 
 
 
 
 Yep, they are nasty.  But that is going to be the case regardless of 
 whether we use the new API or not.
 

I agree - that's not pretty. On the server side, I would like to use
services of python-netaddr package. This package is able to validate
both A or  records. I don't see the benefit of using own regex
instead.

 
 
 Lets deal with these issues, and hold  the API explosion  until later.

Martin


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Adam Young 

On 09/23/2011 11:52 AM, Rob Crittenden wrote:

Adam Young wrote:

On 09/23/2011 02:02 AM, Martin Kosek wrote:

On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:

On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:

OPEN QUESTION: should we implement these new commands also for
discrete
DNS records types to be consistent? I mean for example A, , 
CNAME,

PTR, ... They would look like


ipa dnsrecord--add --ip-address=IPAddress

BENEFITS of this approach (command per RR type):
- use can get all help for RR type by simply typing ipa help
dnsrecord-mx-add
- we would be able to implement helper methods consistently on one
place, for example:
dnsrecord--add --from-mac=00:1D:BA:06:37:64

If we have this for all record types the UI can use a generic code to
figure out which command to use. Everything will be in this pattern:
dnsrecord-rrtype-add/mod/delprimary keys [parameters*]

We won't have it for all types, so we will need a map. Most will use
the old API, and a few will use the pattern above

I think to make this all as consistent as possible, new API shall be
implemented for all types (except unsupported and DNSSEC ones). Rob did
agree with this approach too.

Martin



We need to be able to display even the unsupported types, as they might
end up in the Database. We can work around that limitation.



IMHO if we can't manage them we shouldn't show them.

rob


Yeah, probably.  If you can guarantee it from the server side, I'm OK 
with that.





___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-23 Thread Martin Kosek 
On Fri, 2011-09-23 at 13:17 -0400, Adam Young wrote:
 On 09/23/2011 11:52 AM, Rob Crittenden wrote:
  Adam Young wrote:
  On 09/23/2011 02:02 AM, Martin Kosek wrote:
  On Thu, 2011-09-22 at 22:05 -0400, Adam Young wrote:
  On 09/22/2011 08:31 PM, Endi Sukma Dewata wrote:
  OPEN QUESTION: should we implement these new commands also for
  discrete
  DNS records types to be consistent? I mean for example A, , 
  CNAME,
  PTR, ... They would look like
 
  ipa dnsrecord--add --ip-address=IPAddress
  BENEFITS of this approach (command per RR type):
  - use can get all help for RR type by simply typing ipa help
  dnsrecord-mx-add
  - we would be able to implement helper methods consistently on one
  place, for example:
  dnsrecord--add --from-mac=00:1D:BA:06:37:64
  If we have this for all record types the UI can use a generic code to
  figure out which command to use. Everything will be in this pattern:
  dnsrecord-rrtype-add/mod/delprimary keys [parameters*]
  We won't have it for all types, so we will need a map. Most will use
  the old API, and a few will use the pattern above
  I think to make this all as consistent as possible, new API shall be
  implemented for all types (except unsupported and DNSSEC ones). Rob did
  agree with this approach too.
 
  Martin
 
 
  We need to be able to display even the unsupported types, as they might
  end up in the Database. We can work around that limitation.
 
 
  IMHO if we can't manage them we shouldn't show them.
 
  rob
 
 Yeah, probably.  If you can guarantee it from the server side, I'm OK 
 with that.
 

I can. We don't have them allowed in the schema as bind-dyndb-ldap
plugin does not support them.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-22 Thread Martin Kosek 
On Wed, 2011-09-21 at 11:22 +0200, Martin Kosek wrote:
 On Tue, 2011-09-20 at 11:22 -0500, Endi Sukma Dewata wrote:
  On 9/20/2011 6:15 AM, Martin Kosek wrote:
   ACK.  Proposal looks like it will work fairly easily with the UI.
   We'll have to make some chagnes due to the Add doing something
   different based on the type, but that is the case anyway.
  
   Yes, I was thinking how can we integrate this new API to WebUI. AFAIK
   you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a
   new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for
   example the mx record is being modified. All MX values (even the
   unmodified ones) are passed to dnsrecord-mod.
  
   1) I was wondering how the new dnsrecord-rrtype-add commands can be
   used. I suppose WebUI will know a list of DNS record types with these
   new structured commands and offer the user new window to add a record
   for these types instead of typing them directly to the text box as it is
   now.
  
  When adding a DNS record the user will specify the name and the type, 
  then the UI will show a set of fields based on the selected record type.
  
  So instead of a generic 'data' field like below (click Add):
  
  http://edewata.fedorapeople.org/freeipa/install/ui/index.html#dns=dnszoneidentity=dnsnavigation=identitydnszone-facet=defaultdnszone-pkey=ayoung.boston.devel.redhat.com
  
  it will be similar to Permissions (click Add):
  
  http://edewata.fedorapeople.org/freeipa/install/ui/index.html#rolebased=permissionipaserver=rolebasednavigation=ipaserver
  
  The UI will use the type to pick the correct dnsrecord-rrtype-add 
  command and each parameter in that command will have a corresponding 
  field to enter the value.
 
 Yes, I think this will work fine. Would it make sense to create
 dnsrecord-rr-type-add commands also for non-structured DNS records? I
 mean for example for A, , PTR, CNAME, ... record, which have just
 one simple value or let plain old dnsrecord-add --a-rec=... handle it?
 
  
   2) But my main concern here is how the modification of current DNS
   records should work. Say, we have 2 MX records for example.com. How can
   we modify one of it in a new structured interface?
  
   We would have to implement dnsrecord-mx-show method so that you can fill
   all the text areas (preference, mailserver). Question is how to refer
   the value we want to show since DNS records are multivalued. We could
   pass --dnsrecord=... with DNS record value, e.g. 0 mx.example.com.
   and then use the same value for dnsrecord-mx-mod. The whole command
   sequence would look this way:
  
   dnsrecord-find example.com  -- get all DNS records for example.com
   dnsrecord-show example.com @-- show DNS records directly in the zone
   NS: ns.example.com
   MX: 0 mx1.example.com.
   MX: 1 mx2.example.com.  user wants to modify this one -  new window
  
  I think for each record value the primary keys are the zone name, record 
  name, and the value itself. To simplify operations, we should use the 
  value as a single string. For CLI, users can copy  paste the value more 
  easily.
 
 Agreed. As Adam Tkac suggested, we can simplify this with interactive
 prompt so that user doesn't have to copypaste, but just choose a record
 to -show/-mod.
 
  
  For UI it depends whether (1) we're going to keep the current edit page 
  where all records with the same name are considered a single entry, or 
  whether (2) we're going to edit each record value in a separate page. 
  See ticket #1478.
  
  If we stay with (1), the link to the edit page consists of zone name and 
  record name only. But if we pick (2) the link consists of zone name, 
  record name, value, and type (which can be obtained from -find output).
 
 This is more of a UXD decision, server API will remain intact. I just
 see 2 issues here:
 
 1) If you let user edit multiple structured DNS records, you would have
 to call dnsrecord-rr-type-show multiple times so that you can populate
 all the fields. This can slow down things.
 
 2) Some DNS records may be pretty large. MX record data is small, but
 for example CERT records have an entire certificate stored in it.
 Wouldn't there be a problem if we place the large DNS record in URL?
 
  
   dnsrecord-mx-show example.com --dnsrecord=1 mx1.example.com.
   PREFERENCE: 1  user modifies this to 0
   MAILSERVER: mx2.example.com.
  
  For consistency, the record value should be specified as an argument 
  instead of an option (like in automount). So it will be like this:
  
  dnsrecord-mx-show example.com @ 1 mx1.example.com.
  PREFERENCE: 1
  MAILSERVER: mx2.example.com
 
 This can be done.
 
  
  If we stay with (1) the UI will have to call the dnsrecord-rrtype-show 
  for each value to get the value of each fields. The UI will need to 
  implement a new widget (or section) that can handle multiple fields 
  which will be duplicated for each value.
 
 Ah, yes - as I wrote above. This would also take more time

Re: [Freeipa-devel] Structured DNS record API proposal - summary

2011-09-22 Thread Endi Sukma Dewata 

On 9/22/2011 7:24 AM, Martin Kosek wrote:

2) Some DNS records may be pretty large. MX record data is small, but
for example CERT records have an entire certificate stored in it.
Wouldn't there be a problem if we place the large DNS record in URL?


This is how the DNS record list page could be redesigned:
http://edewata.fedorapeople.org/images/dns-record-list-page.png

It should resemble what you see in the zone file. The content can be 
obtained with a single dnsresource-find operation.


If you click one of the data, it would open a dialog box for that 
particular record type. We will use the raw data as a primary key to 
execute the dnsresource-rrtype-show command. Each attribute in this 
record type will be displayed in separate fields:

http://edewata.fedorapeople.org/images/dns-record-edit-dialog.png

When you save it will call dnsresource-rrtype-mod and put the values 
in separate parameters. It will still use the original raw data as 
primary key, but we don't need to encode the new values into raw data.


If we use a dialog box like this none of the attributes need to be added 
into the URL. It will be passed internally via variables. If we use a 
separate edit page (with a unique URL for each record), we might need to 
specify the entire raw data in the URL, but maybe we can find a 
workaround for CERT record. I'd prefer to use a dialog box because it 
can be used for both add and modify.



OPEN QUESTION: should we implement these new commands also for discrete
DNS records types to be consistent? I mean for example A, , CNAME,
PTR, ... They would look like


ipa dnsrecord--add --ip-address=IPAddress


BENEFITS of this approach (command per RR type):
- use can get all help for RR type by simply typing ipa help
dnsrecord-mx-add
- we would be able to implement helper methods consistently on one
place, for example:
dnsrecord--add --from-mac=00:1D:BA:06:37:64


If we have this for all record types the UI can use a generic code to 
figure out which command to use. Everything will be in this pattern: 
dnsrecord-rrtype-add/mod/del primary keys [parameters*]



OPEN QUESTION: should we implement also -find methods
(dnsrecord-mx-find) so that UI can for example populate text fields for
all (MX) records for one DNS name?


Depending on the UI design, it might not be needed. But it won't hurt to 
have one in case the UI changes, for example suppose we want to have 
separate tabs for each record type.



4) -mod commands shall be implemented for structured RR types:
API would be almost the same as with -add commands. User (WebUI) would
just have to identify which record should be modified:
a) by copypassing the raw DNS value directly to the command:


dnsrecord-mx-mod example.com @ 1 mx1.example.com. --preference=0


The Web UI will use the JSON-RPC version of this command. As discussed 
already, the non-interactive mode for CLI will be useful for writing 
scripts or other applications that will invoke the CLI/API.


Being able to specify the attributes in separate parameters means that 
the client doesn't have to figure out how to encode the attributes into 
a single raw data. They will be encoded consistently by the server.



b) (CLI only) by using an interactive wizard that would let user choose
the modified record like this way:


dnsrecord-mx-mod example.com @ --preference=0

Which record would you like to change?
[1] 1 mx1.example.com.
[2] 10 mx2.example.com.
DNS record:user enters the number


The interactive mode will be useful for people who have to use 
text-based terminal.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-22 Thread Dmitri Pal 
On 09/22/2011 03:37 AM, Jakub Hrozek wrote:
 On Thu, Sep 22, 2011 at 08:25:01AM +0200, Jan Cholasta wrote:
 On 21.9.2011 23:55, Dmitri Pal wrote:
 On 09/21/2011 10:27 AM, Adam Young wrote:
 On 09/20/2011 11:11 AM, Martin Kosek wrote:
 On Tue, 2011-09-20 at 10:02 -0400, Adam Young wrote:
 This discussion got me thinking, always a dangerous proposal:

 We are currently exposing record add with the lie  that  when you add a
 record, it has a type.  THe reality is that a record is just this big
 collection of multi value attributes, and each of those  is the type
 of the record.
 The way I see it is that we have different types of Resource Records
 with a (domain) name that can be shared.

 If all of the 'records'  have the same idnsname, then they really fall
 under the same Record object in LDAP.
 Yes.

 What if we focuses on the attribtutes themselves, and add the type info
 there.
 I thought we do this already.

 Pie in the sky proposal.   Treat it as a starting point:

   From the webui perspective
 dnsrecord-add   allows the case where it just has the the idnsname with
 no records

 dnsrecordattr-mod  takes record type specific values.

 To add a location entry:

 ipa dnsrecordattr-mod --append location --lat-deg=INT --lat-min=INT
 --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
 --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
 --v-precision=FLOAT


 And to remove it

 ipa dnsrecordattr-mod --remove location --lat-deg=INT --lat-min=INT
 --lat-sec=FLOAT --lat-dir=ENUM --lon-deg=INT --lon-min=INT
 --lon-sec=FLOAT --lon-dir=ENUM --alt=FLOAT --h-precision=FLOAT
 --v-precision=FLOAT
 So if user would want to remove a LOC record, he would have to pass all
 these attributes to refer which attribute value to remove?
 I think that is the case anyway.  Since a DNS record is really just an
 multivalue attribute,   you would now have to do  a dns-record-mod
 with the list of all LOC records that you don't want to delete.  I
 used this as an example because it is the most complex case.

 Just thinking it through...I'm not certain I like the one command per
 record type  as it changes a lot of other assumptions.  DNS is a
 wierd beast already.

 I've spent a lot of time on the DNS ui, and it is pretty tricky  to
 get right.  I'm trying to balance the PI against efficient usage.

 What we really need for the fields is a way to specify the format for
 a given field, much like the format strings used for group names.  For
 example, the LOC  record  is really

 owner   TTL   class   LOC d1 [m1 [s1]] {N|S}  d2 [m2 [s2]]
 {E|W}
   alt[m] [siz[m] [hp[m] [vp[m


 And all the WebUI needs is a way to specify that format  to validate.

 Can we use augeas for this?
 Augeas lenses use this kind of the validation and there is python
 binding so may be we should use augeas as an inspiration or ask for an
 augeas Javascript solution?
 We can't. Augeas knows how to manipulate config files and only that,
 there is no API for anything else.

 Some time ago I wrote a patch to extend Augeas to operate on arbitrary
 strings. I never had time to push it upstream, but I think I still have
 is somewhere.

 Not sure if this approach would help us anyway, we would still have to
 wait until this feature made it to RHEL and solve the JS bindings as
 well


Yes I was thinking about this path at least as an inspiration.

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel




-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-21 Thread Martin Kosek 
On Wed, 2011-09-21 at 10:58 +0200, Adam Tkac wrote:
 On 09/16/2011 02:25 PM, Martin Kosek wrote:
  On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote:
  Whatever you do do not split this operation into a DEL+ADD, we want an
  atomic modify operation in any case. as you do not want to have a race
  where named may query the MX records and find them empty. That'd be much
  worse than returning one of them outdated.
 
  This means whatever the API we need to support a way to add all values
  at the same time. We can also have the more verbose API to make things
  more understandable, but we need this bulk API for the WebUI IMHO.
  I agree, the change shouldn't be split to del+add. My proposed API:
 
  dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. --preference=0
 
  would do just one write to LDAP. Unfortunately, this is not so pretty
  for CLI, one would have to copypaste raw DNS value to be able to edit
  its components, but it should be simple for WebUI. Right now, I don't
  see some better way.
 
 I thought about this CLI proposal and it is definitely a good start. In
 the future we can consider to improve the CLI this way, for example:
 
 $ dnsrecord-mx-mod example.com --preference=0
 Which record would you like to change?
 [1] 1 mx1.example.com.
 [2] 10 mx2.example.com.
 $ select the record
 
 This way will be more convenient for people which use CLI, especially
 when we start to support DNSSEC and resource record types which store
 certificates (CERT/SSHFP) get widely used. I doubt that someone likes
 copyingpasting SHA* hashes and RSA signatures every time when some
 record is modified.
 
 Regards, Adam

Good idea! I already added some interactive prompt helpers to DNS
plugin, you can check for example dnsrecord_del command, specifically
its interactive_prompt_callback(). This can be also used for -mod/-show
command which will make the command user-friendly for both CLI and WebUI
users.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-21 Thread yi zhang 

On 09/21/2011 01:58 AM, Adam Tkac wrote:

On 09/16/2011 02:25 PM, Martin Kosek wrote:

On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote:

Whatever you do do not split this operation into a DEL+ADD, we want an
atomic modify operation in any case. as you do not want to have a race
where named may query the MX records and find them empty. That'd be much
worse than returning one of them outdated.

This means whatever the API we need to support a way to add all values
at the same time. We can also have the more verbose API to make things
more understandable, but we need this bulk API for the WebUI IMHO.

I agree, the change shouldn't be split to del+add. My proposed API:

dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. --preference=0

would do just one write to LDAP. Unfortunately, this is not so pretty
for CLI, one would have to copypaste raw DNS value to be able to edit
its components, but it should be simple for WebUI. Right now, I don't
see some better way.


I thought about this CLI proposal and it is definitely a good start. In
the future we can consider to improve the CLI this way, for example:

$ dnsrecord-mx-mod example.com --preference=0
Which record would you like to change?
[1] 1 mx1.example.com.
[2] 10 mx2.example.com.
$select the record

This way will be more convenient for people which use CLI, especially
when we start to support DNSSEC and resource record types which store
certificates (CERT/SSHFP) get widely used. I doubt that someone likes
copyingpasting SHA* hashes and RSA signatures every time when some
record is modified.

Regards, Adam
Interactive mode is useful in some case. But can people still script 
with this CLI? I hope this CLI can still offer non-interactive mode so 
it would be more script-friendly.

BTW, I am a QA.

Yi


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--

~
| Yi Zhang  |
| QA @ Mountain View, Calinfornia   |
| Cell: 408-509-6375|
~

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-20 Thread Endi Sukma Dewata 

On 9/20/2011 6:15 AM, Martin Kosek wrote:

ACK.  Proposal looks like it will work fairly easily with the UI.
We'll have to make some chagnes due to the Add doing something
different based on the type, but that is the case anyway.


Yes, I was thinking how can we integrate this new API to WebUI. AFAIK
you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a
new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for
example the mx record is being modified. All MX values (even the
unmodified ones) are passed to dnsrecord-mod.

1) I was wondering how the new dnsrecord-rrtype-add commands can be
used. I suppose WebUI will know a list of DNS record types with these
new structured commands and offer the user new window to add a record
for these types instead of typing them directly to the text box as it is
now.


When adding a DNS record the user will specify the name and the type, 
then the UI will show a set of fields based on the selected record type.


So instead of a generic 'data' field like below (click Add):

http://edewata.fedorapeople.org/freeipa/install/ui/index.html#dns=dnszoneidentity=dnsnavigation=identitydnszone-facet=defaultdnszone-pkey=ayoung.boston.devel.redhat.com

it will be similar to Permissions (click Add):

http://edewata.fedorapeople.org/freeipa/install/ui/index.html#rolebased=permissionipaserver=rolebasednavigation=ipaserver

The UI will use the type to pick the correct dnsrecord-rrtype-add 
command and each parameter in that command will have a corresponding 
field to enter the value.



2) But my main concern here is how the modification of current DNS
records should work. Say, we have 2 MX records for example.com. How can
we modify one of it in a new structured interface?

We would have to implement dnsrecord-mx-show method so that you can fill
all the text areas (preference, mailserver). Question is how to refer
the value we want to show since DNS records are multivalued. We could
pass --dnsrecord=... with DNS record value, e.g. 0 mx.example.com.
and then use the same value for dnsrecord-mx-mod. The whole command
sequence would look this way:

dnsrecord-find example.com  -- get all DNS records for example.com
dnsrecord-show example.com @-- show DNS records directly in the zone
NS: ns.example.com
MX: 0 mx1.example.com.
MX: 1 mx2.example.com.  user wants to modify this one -  new window


I think for each record value the primary keys are the zone name, record 
name, and the value itself. To simplify operations, we should use the 
value as a single string. For CLI, users can copy  paste the value more 
easily.


For UI it depends whether (1) we're going to keep the current edit page 
where all records with the same name are considered a single entry, or 
whether (2) we're going to edit each record value in a separate page. 
See ticket #1478.


If we stay with (1), the link to the edit page consists of zone name and 
record name only. But if we pick (2) the link consists of zone name, 
record name, value, and type (which can be obtained from -find output).



dnsrecord-mx-show example.com --dnsrecord=1 mx1.example.com.
PREFERENCE: 1 user modifies this to 0
MAILSERVER: mx2.example.com.


For consistency, the record value should be specified as an argument 
instead of an option (like in automount). So it will be like this:


dnsrecord-mx-show example.com @ 1 mx1.example.com.
PREFERENCE: 1
MAILSERVER: mx2.example.com

If we stay with (1) the UI will have to call the dnsrecord-rrtype-show 
for each value to get the value of each fields. The UI will need to 
implement a new widget (or section) that can handle multiple fields 
which will be duplicated for each value.


The edit page for (2) is much simpler since it only needs to handle a 
single type at a time. The output of the -show command will be used to 
populate each field.



dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. --preference=0


When updating the value, option (1) is a bit more complicated because 
the UI will have to find the dirty record and then find the dirty field. 
Option (2) is simpler because it will only need to find the dirty field, 
but both will execute the following command:


dnsrecord-mx-mod example.com @ 1 mx1.example.com. --preference=0

I think option (2) is more clear to users because we only have to 
introduce 2 concepts: zone and record (which is the individual value). 
With option (1) we will have to explain the underlying LDAP entry that 
will be deleted automatically when the last record value is deleted.


--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-16 Thread Adam Tkac 

On 09/16/2011 09:51 AM, Martin Kosek wrote:

On Thu, 2011-09-15 at 10:26 +0200, Adam Tkac wrote:


Your proposal seems fine for me. However I would recommend not to expose
routines for managing DNSSEC related records because DNSSEC is currently
not supported in the bind-dyndb-ldap. This doesn't mean you should
remove code which handles those records, just don't expose them to
users, please. Routines can be reused in future, when we decide how to
handle DNSSEC in FreeIPA.

I checked the dnsrecord-rrtype-add list below and DNSSEC related
records are DS, KEY, NSEC, RRSIG, SIG.

Regards, Adam

Since we don't know how DNSSEC records will be handled, I would rather
don't implement the methods now and then reimplement them.

When I was implementing DNS validators in patch 120 I noticed we provide
API to add many RR types that are not supported via bind-dyndb-ldap at
all. Any attempt to add them ends with missing LDAP schema attribute
error.

Since the new API is targeted for new FreeIPA major release I wouldn't
be afraid to remove all these RR types from our API (they don't work
anyway).

This applies to these RR types: APL, DHCID, DLV, DNSKEY, HIP, IPSECKEY,
NSEC3, NSEC3PARAM, RP, TA, TKEY, TSIG.

IMO, we should then add there RR types _only_ when they are supported by
bind-dyndb-ldap.

Ack, this is the best for now.

Regards, Adam

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-16 Thread Simo Sorce 
On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote:
 On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote:
  On 09/14/2011 12:18 PM, Martin Kosek wrote: 
   Attached in the txt file. If you have any comments or suggestions to
   this proposal, please let me know.
   
   https://fedorahosted.org/freeipa/ticket/1766
   
   
   ___
   Freeipa-devel mailing list
   Freeipa-devel@redhat.com
   https://www.redhat.com/mailman/listinfo/freeipa-devel
  
  
  ACK.  Proposal looks like it will work fairly easily with the UI.
  We'll have to make some chagnes due to the Add doing something
  different based on the type, but that is the case anyway.
 
 Yes, I was thinking how can we integrate this new API to WebUI. AFAIK
 you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a
 new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for
 example the mx record is being modified. All MX values (even the
 unmodified ones) are passed to dnsrecord-mod.
 
 1) I was wondering how the new dnsrecord-rrtype-add commands can be
 used. I suppose WebUI will know a list of DNS record types with these
 new structured commands and offer the user new window to add a record
 for these types instead of typing them directly to the text box as it is
 now.
 
 2) But my main concern here is how the modification of current DNS
 records should work. Say, we have 2 MX records for example.com. How can
 we modify one of it in a new structured interface?
 
 We would have to implement dnsrecord-mx-show method so that you can fill
 all the text areas (preference, mailserver). Question is how to refer
 the value we want to show since DNS records are multivalued. We could
 pass --dnsrecord=... with DNS record value, e.g. 0 mx.example.com.
 and then use the same value for dnsrecord-mx-mod. The whole command
 sequence would look this way:
 
 dnsrecord-find example.com  -- get all DNS records for example.com
 dnsrecord-show example.com @-- show DNS records directly in the zone
 NS: ns.example.com
 MX: 0 mx1.example.com.
 MX: 1 mx2.example.com.  user wants to modify this one - new window
 
 dnsrecord-mx-show example.com --dnsrecord=1 mx1.example.com.
 PREFERENCE: 1   user modifies this to 0
 MAILSERVER: mx2.example.com.
 
 dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. --preference=0
 
 
 What do you think about this API for record modification?

Although racy, isn't it simpler to just always replace the whole set ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-16 Thread Simo Sorce 
On Fri, 2011-09-16 at 14:04 +0200, Martin Kosek wrote:
 On Fri, 2011-09-16 at 07:58 -0400, Simo Sorce wrote:
  On Fri, 2011-09-16 at 09:42 +0200, Martin Kosek wrote:
   On Thu, 2011-09-15 at 15:28 -0400, Adam Young wrote:
On 09/14/2011 12:18 PM, Martin Kosek wrote: 
 Attached in the txt file. If you have any comments or suggestions to
 this proposal, please let me know.
 
 https://fedorahosted.org/freeipa/ticket/1766
 
 
 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


ACK.  Proposal looks like it will work fairly easily with the UI.
We'll have to make some chagnes due to the Add doing something
different based on the type, but that is the case anyway.
   
   Yes, I was thinking how can we integrate this new API to WebUI. AFAIK
   you use dnsrecord-add $ZONE $REC --a-rec=... --mx-rec=... for adding a
   new DNS record and dnsrecord-mod $ZONE $REC --mx-rec=... when for
   example the mx record is being modified. All MX values (even the
   unmodified ones) are passed to dnsrecord-mod.
   
   1) I was wondering how the new dnsrecord-rrtype-add commands can be
   used. I suppose WebUI will know a list of DNS record types with these
   new structured commands and offer the user new window to add a record
   for these types instead of typing them directly to the text box as it is
   now.
   
   2) But my main concern here is how the modification of current DNS
   records should work. Say, we have 2 MX records for example.com. How can
   we modify one of it in a new structured interface?
   
   We would have to implement dnsrecord-mx-show method so that you can fill
   all the text areas (preference, mailserver). Question is how to refer
   the value we want to show since DNS records are multivalued. We could
   pass --dnsrecord=... with DNS record value, e.g. 0 mx.example.com.
   and then use the same value for dnsrecord-mx-mod. The whole command
   sequence would look this way:
   
   dnsrecord-find example.com  -- get all DNS records for example.com
   dnsrecord-show example.com @-- show DNS records directly in the zone
   NS: ns.example.com
   MX: 0 mx1.example.com.
   MX: 1 mx2.example.com.  user wants to modify this one - new window
   
   dnsrecord-mx-show example.com --dnsrecord=1 mx1.example.com.
   PREFERENCE: 1   user modifies this to 0
   MAILSERVER: mx2.example.com.
   
   dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. 
   --preference=0
   
   
   What do you think about this API for record modification?
  
  Although racy, isn't it simpler to just always replace the whole set ?
  
  Simo.
  
 
 How would that work? We are designing -add -show -mod commands for
 mutlivalued LDAP attribute values, we should have some reference what
 value we are modifying. Or did you mean the following command sequence
 for mod operation?
 
 dnsrecord-del example.com @ --mx-rec=0 mx1.example.com., 1 
 mx2.example.com.
 dnsrecord-mx-add example.com @ --priority=0 --mailserver=mx1.example.com.
 dnsrecord-mx-add example.com @ --priority=1 --mailserver=mx2.example.com.

Oh I see, I thought we could add multuple values at the same time, but
with this syntax it is not possible.

Perhaps something like this:

dnsrecord-mod example.com @ --replace --mx-rec=0 mx1.example.com., 1 
mx2.example.com.

This would replace any existing record with the list of 'raw' records provided.

Whatever you do do not split this operation into a DEL+ADD, we want an
atomic modify operation in any case. as you do not want to have a race
where named may query the MX records and find them empty. That'd be much
worse than returning one of them outdated.

This means whatever the API we need to support a way to add all values
at the same time. We can also have the more verbose API to make things
more understandable, but we need this bulk API for the WebUI IMHO.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] Structured DNS record API proposal

2011-09-16 Thread Martin Kosek 
On Fri, 2011-09-16 at 08:12 -0400, Simo Sorce wrote:
 On Fri, 2011-09-16 at 14:04 +0200, Martin Kosek wrote:
...
  How would that work? We are designing -add -show -mod commands for
  mutlivalued LDAP attribute values, we should have some reference what
  value we are modifying. Or did you mean the following command sequence
  for mod operation?
  
  dnsrecord-del example.com @ --mx-rec=0 mx1.example.com., 1 
  mx2.example.com.
  dnsrecord-mx-add example.com @ --priority=0 --mailserver=mx1.example.com.
  dnsrecord-mx-add example.com @ --priority=1 --mailserver=mx2.example.com.
 
 Oh I see, I thought we could add multuple values at the same time, but
 with this syntax it is not possible.
 
 Perhaps something like this:
 
 dnsrecord-mod example.com @ --replace --mx-rec=0 mx1.example.com., 1 
 mx2.example.com.

We have something similar already. Current implementation of
dnsrecord-mod jus replaces whatever was in the multivalued attribute now
with the new values. That's what WebUI uses now. Now, if you modify MX
record priority in raw record, this is what is sent to IPA:

dnsrecord-mod example.com @ --mx-rec=0 mx1.example.com.,1 mx2.example.com.

 
 This would replace any existing record with the list of 'raw' records 
 provided.

Yes, that is current state. The motivation for this new API, however, is
an ability to edit the structured DNS records, not the raw ones. WebUI
shouldn't generate raw DNS records from structured WebUI form and send
them to server, server should do it. That was my motivation for the
proposed API.

 
 Whatever you do do not split this operation into a DEL+ADD, we want an
 atomic modify operation in any case. as you do not want to have a race
 where named may query the MX records and find them empty. That'd be much
 worse than returning one of them outdated.
 
 This means whatever the API we need to support a way to add all values
 at the same time. We can also have the more verbose API to make things
 more understandable, but we need this bulk API for the WebUI IMHO.

I agree, the change shouldn't be split to del+add. My proposed API:

dnsrecord-mx-mod example.com --dnsrecord=1 mx1.example.com. --preference=0

would do just one write to LDAP. Unfortunately, this is not so pretty
for CLI, one would have to copypaste raw DNS value to be able to edit
its components, but it should be simple for WebUI. Right now, I don't
see some better way.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel