[Freeipa-devel] user interfaces & default values = problem

Martin Kosek mkosek at redhat.com
Mon Feb 11 12:49:11 UTC 2013 

On 02/11/2013 12:57 PM, Petr Spacek wrote:
> Hello list,
> 
> I realized one general problem we have with user interfaces for IPA & default
> values for various configuration options.
> 
> Let me use DNS dynamic update as an example:
> - We have "built-in" default configuration (disabled)
> - We have "global" configuration object (ipaDnsConfig)
> - We have "per-object" configuration (in each DNS zone)
> 
> IMHO user interface would be more usable if user can *see* which value is
> effective for particular service (and more generally any other object).
> 
> At the moment, command "ipa dnszone-show example.com" will not show "dynamic
> update" value if it is not configured in the zone itself.
> 
> E.g.
> [root at ipa1 ~]# ipa dnszone-show example.com
>   Zone name: example.com
>   Authoritative nameserver: ipa1.example.com.
>   Administrator e-mail address: hostmaster.example.com.
>   SOA serial: 1360583295
>   SOA refresh: 3600
>   SOA retry: 900
>   SOA expire: 1209600
>   SOA minimum: 3600
>   Active zone: TRUE
>   Allow query: any;
>   Allow transfer: none;
> 
> # No "Dynamic update" value is shown above ...
> 
> $ ipa dnsconfig-show
> [root at ipa1 ~]# ipa dnsconfig-show
> ---------------------------------
> Global DNS configuration is empty
> ---------------------------------
> 
> What is the built-in default? It is in bind-dyndb-ldap documentation ...
> 
> 
> It is hard to debug things when you can't *see* effective value. IMHO it would
> be good to add lines like:
>   Dynamic update: FALSE (inherited built-in default)
> and
>   Dynamic update: FALSE (inherited global configuration)
> 
> + some graphical representation of same thing to WebUI.
> 
> Exactly same problem applies to PAC type for each service etc, so some general
> solution would be nice.
> 
> Microsoft has something called "Resultant Set of Policy" for this purpose.
> 

Hello Petr,

in case of Dynamic update, we always configure the attribute with the setting,
we just do not show the attribute by default to not make the output
confusing... You need to pass --all option to show all zone configuration
settings, including update policy:

# ipa dnszone-show example.com --all
  dn: idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
  Zone name: example.com
  Authoritative nameserver: vm-037.idm.lab.bos.redhat.com.
  Administrator e-mail address: hostmaster.example.com.
  SOA serial: 1360583513
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant IDM.LAB.BOS.REDHAT.COM krb5-self * A; grant
IDM.LAB.BOS.REDHAT.COM krb5-self
                      * AAAA; grant IDM.LAB.BOS.REDHAT.COM krb5-self * SSHFP;
  Active zone: TRUE
  Dynamic update: FALSE   <<<<<<<<
  Allow query: any;
  Allow transfer: none;
  nsrecord: vm-037.idm.lab.bos.redhat.com.
  objectclass: top, idnsrecord, idnszone

If people want to see this setting by default, we can of course show it by default.

As for the description - while text comments added to values look interesting:

>   Dynamic update: FALSE (inherited global configuration)

it is not so straightforward to be done in our framework. We try quite hard to
assign appropriate LDAP data types for different attributes which are then
encoded to appropriate native Python types in our framework. "Dynamic update"
is a BOOL type, so framework cannot return any text attached to it.

We now return this format:

{
    "error": null,
    "id": null,
    "principal": "admin at EXAMPEL.COM",
    "result": {
        "count": 1,
        "results": [
            {
                "error": null,
                "result": {
                    "dn": "idnsname=example.com,cn=dns,dc=example,dc=com",
                    "idnsallowdynupdate": [
                        "FALSE"
                    ],
                    "idnsallowquery": [
                        "any;"
                    ],
                    "idnsallowtransfer": [
                        "none;"
                    ],
                    ...
                },
                "summary": null,
                "value": "@"
            }
        ]
    },
    "version": "3.1"
}


To support what you propose, we would also need to to return something like
"meta-data" for the resulting dictionary returned by IPA server, for example as
another attribute in resulting dict:


{
    "error": null,
    "id": null,
    "principal": "admin at EXAMPEL.COM",
    "result": {
        "count": 1,
        "results": [
            {
                "error": null,
                "result": {
                    "dn": "idnsname=example.com,cn=dns,dc=example,dc=com",
                    "idnsallowdynupdate": [
                        "FALSE"
                    ],
                    "__rsop_idnsallowdynupdate": [
                        "inherited global configuration"
                    ],
                    ...
                },
                "summary": null,
                "value": "@"
            }
        ]
    },
    "version": "3.1"
}

... or in a separate tree:

{
    "error": null,
    "id": null,
    "principal": "admin at EXAMPEL.COM",
    "result": {
        ...
        },
    "meta": {
        "rsop": {
            "results": [
                {
                    "dn": "idnsname=example.com,cn=dns,dc=example,dc=com",
                    "idnsallowdynupdate": [
                        "inherited global configuration"
                }
                ],
            }
    }

Martin

More information about the Freeipa-devel mailing list