[Pki-devel] replication of new/modified profiles

Endi Sukma Dewata edewata at redhat.com
Thu Jul 3 02:51:12 UTC 2014 

On 7/2/2014 1:09 PM, Christina Fu wrote:
> In general, I think we all agree that putting profiles on ldap  is a
> good idea.  However, in practice, I think we want to allow admins to
> make changes to local files as they see fit.
>   Please see my in-line response below.

This is probably something that the admins will have to adapt 
eventually. I think in a replicated environment we shouldn't treat each 
server as unique individuals with "local" settings in files (including 
profiles). From user's perspective all replicas should be (mostly) 
identical. An admin, agent, or end entity should be able to go to any 
replica and get the same services, see the same data, etc. For this to 
work consistently, we want to minimize possible misconfiguration, so the 
number of local files should be minimized. The configuration (including 
profiles) should gradually be moved to LDAP, and the CLI/UI will be the 
primary way to manage the configuration.

To help the transition, CLI like proposed by Fraser could provide the 
experience of editing a local file but it's actually stored on LDAP. 
Also in the future the UI could provide an intuitive interface to manage 
the profiles, so the admins will no longer need to memorize the syntax 
of profile configuration file.

> Perhaps we can view files v.s. ldap as "localized" v.s. "centralized"
> instead of "system" v.s. "customized".
> Again, the benefit of putting profiles in ldap is so that it can be
> configured once and utilized by many.
> My comments below are based on such view.

Let's call this proposal #4: Localized & centralized profiles. If I 
understand this correctly, as an example server1 may have local profile1 
and profile2, server2 may have local profile1 and profile3, then we have 
centralized LDAP profile1 and profile4. The profile1 in server1, 
server2, and LDAP can be completely different although they share the 
same name.

>> 1. Continue to provide the system profiles in files.  These files will
>> be parsed and stored in LDAP when an instance is created.

> if the ldap copies are the "centralized" ones, then we don't want to
> override them at each installation of an instance. We could give admins
> an option to override what's stored in ldap during configuration.

I think the process to import the system profiles into LDAP should be 
done only once regardless of the number of replicas. Otherwise, suppose 
we removed one of the centralized profile (e.g. profile1), it might get 
added again when we install another replica.

> When a profile with the same id exists in both ldap and local system,
> then by default the one on ldap takes precedence. Although we could add
> "per profile" config param for each instance to change the view
> (remember the unix ns/yp config where you can set the order of the
> source? so if "file" is 1st in the order, then the local ones have
> priority, etc.)

I don't have a lot of experience as system admin, but I think managing 
individual machines is difficult so NIS (or LDAP, NFS, DNS, etc.) is 
used to transition to a centrally managed system. The order of sources 
is set up such that eventually everything can be moved into a single 
source. For example, once we have NIS, we add new users in NIS instead 
of locally on each machine (unless absolutely necessary) even if a user 
might use a specific machine only.

> With this, a site that has carefully crafted their profiles and stored
> in ldap to share among all ca instances don't have to bother changing
> anything for each ca instance created (because they are default to the
> ldap).
> Upgrade will also not affect the ldap copies inadvertently.

>> 2. All profiles for an instance should live in LDAP.  This makes it
>> simple - no need to check to see if a profile is in LDAP or files or
>> both, and which has priority etc.  Tools will be provided to manage/
>> create/delete profiles etc.

> It might be simple, but we need to think about what's the value of them
> existing in ldap and not being shared by others.

What is the use case for having local profiles that will not or cannot 
be shared with other replicas? If sharing the profile doesn't pose any 
problem we might as well store "local" profiles in LDAP so they can be 
handled more consistently.

>> 3. Updates to system profile files will not affect the existing LDAP
>> profiles.  We can provide update scripts or manual instructions for
>> admins to run when they opt to do so.  This will be for behavioral
>> changes.

> so, in the view I specified above, update to the "local" profiles will
> only affect the  instance where they exist, however, we can allow option
> for admins to "publish" to ldap.

The problem with local profiles in files is that they are not 
replicated, so in case the machine is hosed, all local settings is gone, 
including the profiles. Unless the admin created a backup for each 
machine, it will be difficult to restore the machine quickly. The 
replicated LDAP profiles will take care of this problem automatically. 
In other proposals the system profiles in files are read-only and not 
customizable, so there's no local profiles that need to be backed up.

-- 
Endi S. Dewata

More information about the Pki-devel mailing list