Ticket #3752 (closed enhancement: fixed)

Opened 4 years ago

Last modified 3 years ago

[RFE] Use automember for hosts after the host is added

Reported by: dpal Owned by: akrivoka
Priority: major Milestone: FreeIPA 4.0 - 2013/12
Component: IPA Version:
Keywords: Cc: rmeggins, pvoborni
Blocked By: Blocking:
Affects Documentation: no Patch link: 1
Red Hat Bugzilla: 1108226 Patch review by:
External tracker: Design link: http://www.freeipa.org/page/V4/Automember_rebuild_membership
Test coverage: Test by:
Test case: Needs UI design: Not needed
Feature: Source:
Expertise:
Release Notes: Add automember-rebuild command allowing to apply all automember rules to existing objects (users, hosts). The command is synchronous, it returns when the backend LDAP operation finishes (unless --no-wait option is passed).

Description

It became apparent that there are some cases when the purpose thus and proper system placing into the host groups is not known in advance. Consider the following scenario:

  1. There is an existing system not integrated with IPA, Spacewalk or other management software but running some application.
  2. The system should be inspected, classified and the right configuration and policy should be applied.
  3. The first step is to enrol it into IPA so that management software can SSH into the system and collect facts and stats. At this point the host needs to be created in IPA but the type of the host is yet to be determined.
  4. Once the system is enrolled the management software would connect, collect facts and determine the class or type of the system.
  5. The management software then should be able to issue command that would trigger autoplacement plugin for already existing host.

Change History

comment:1 Changed 4 years ago by simo

If this inspection system can modify the host object why can't it simply directly add the host to whatever group it needs to ?

comment:2 Changed 4 years ago by dpal

It can but it is more complex than leveraging the automember functionality. The management software would also need to know the actual groups and what they mean. This is not necessarily the case. The management system can detect that this is a "web server", or "file server", or "mail server" and tell IPA this is "file server, go do your magic and place it into the right groups only you know about" because they are part of IPA and used for HBAC and SUDO and nothing else.

AFAIK the DS plugin was built with this use case in mind, we are just not using it yet.

comment:3 Changed 4 years ago by rcritten

I agree, it is best to leverage automember and not split the logic.

DS 9 added the following features to the automember plugin:

  • rebuild membership, which re-runs the Auto Membership Plug-in on existing entries to update the group membership; this is essentially a fix-up task
  • automember export updates, which does a test-run of what the membership changes would be and writes them to a specified LDIF file
  • map updates, which inputs the entries from an LDIF file, performs a test-run, and then writes what the results of the fix-up task would be to a given LDIF file

comment:4 Changed 4 years ago by mkosek

  • Cc rmeggins added

Now I am just thinking - would it be useful to have a DS task to rebuild just one entry? I.e. a task that would ask DS rebuild membership just for the specified DN. This way other, unrelated hosts' memberships would stay intact making the change more robust IMO.

Adding rmeggins to CC for evaluation if this is feasible or not.

comment:5 Changed 4 years ago by dpal

Frankly I thought that that there is already an option to do that.

comment:6 Changed 4 years ago by rmeggins

Nathan says: "I think you should be able to just use a filter to identify the single entry. Mark put details in the ticket here:

https://fedorahosted.org/389/ticket/20#comment:10

"

comment:7 Changed 4 years ago by mkosek

  • Cc pvoborni added

Thanks, this is exactly what I was looking for. Looking at this ticket, I think it could translate to following changes:

  • ipa automember-rebuild-membership --type={hostgroup,group} - this would run automember rebuild membership task for all objects of this type.
  • ipa host-rebuild-membership HOST - run automember rebuild membership task for given host
  • ipa user-rebuild-membership USER - run automember rebuild membership task for given user

We should also hook these commands to Web UI then - to automember, user and host pages.

All in all, I think feature is very useful and would add much more value to automember ability - I would propose to add it to next release.

comment:8 Changed 4 years ago by dpal

  • Red Hat Bugzilla set to todo
  • Milestone changed from 0.0 NEEDS_TRIAGE to 2013 Month 09 - September (3.4)

comment:9 Changed 3 years ago by akrivoka

  • Owner changed from someone to akrivoka
  • Status changed from new to assigned

comment:10 Changed 3 years ago by mkosek

  • Milestone changed from 2013 Month 09 - September (3.4) to 2013 Month 10 - October (3.4)

3.4 development was shifted for one month, moving tickets to reflect reality better.

comment:11 Changed 3 years ago by akrivoka

  • Needs UI design set to Not needed
  • Design link set to http://www.freeipa.org/page/V3/Automember_rebuild_membership

Web UI part: #3928.

comment:12 follow-up: ↓ 13 Changed 3 years ago by mkosek

I think that this work actually implements ticket #2004, I plan to move it to 3.4 as well.

comment:13 in reply to: ↑ 12 Changed 3 years ago by akrivoka

Replying to mkosek:

I think that this work actually implements ticket #2004, I plan to move it to 3.4 as well.

Yes, #2004 looks like a duplicate of this ticket.

comment:14 Changed 3 years ago by akrivoka

  • Patch link changed from 0 to 1

comment:15 Changed 3 years ago by mkosek

  • Milestone changed from 2013 Month 10 - October (3.4) to 2013 Month 12 - December (3.4)

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

comment:16 Changed 3 years ago by mkosek

Adjusting time plan - 3.4 development was postponed as we focused on 3.3.x testing and stabilization.

comment:17 Changed 3 years ago by mkosek

  • Status changed from assigned to closed
  • Resolution set to fixed

master:
6c9b3b02a4578f9985b343e4d6f716a7b829b8f0 Fix error message when adding duplicate automember rule
0ac63976324f93a9bba1b898c81ab740611f7fe5 Add unit tests for automember rebuild command
dfea5989f7edeb9ebc2d4fe42641e8818222761a Add a privilege and a permission needed for automember rebuild c d97386de5b68c90c53362dda54b126fdc97e00b6 Add automember rebuild command

Last edited 3 years ago by mkosek (previous) (diff)

comment:18 Changed 3 years ago by mkosek

  • Design link changed from http://www.freeipa.org/page/V3/Automember_rebuild_membership to http://www.freeipa.org/page/V4/Automember_rebuild_membership
  • Release Notes modified (diff)

comment:19 Changed 3 years ago by mkosek

  • Red Hat Bugzilla changed from todo to [https://bugzilla.redhat.com/show_bug.cgi?id=1108226 1108226]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1108226

Note: See TracTickets for help on using tickets.