On to, 27 kesä 2019, lejeczek via FreeIPA-users wrote:
On 27/06/2019 18:14, Alexander Bokovoy wrote:
> On to, 27 kesä 2019, lejeczek via FreeIPA-users wrote:
>> hi guys
>>
>> hi @devel, I'm hoping you guys will stumble upon this
>> here, which is a
>> question from me - I was thinking it would be great to
>> have among ipa
>> commands a set of arguments/options which would give out
>> when executed
>> either true or false, which to us admins/users
>> would/could be of a great
>> help.
>>
>> For example:
>>
>> ipa is-renewal-master
>>
>> ipa is-dns
>>
>> ipa is-ca
>>
>> etc.
>>
>> I think it would be great to have such little bits in the
>> toolkit.
>> Anybody else?
> We have ipa server-role-* already:
>
> ipa help serverrole
>
> e.g.
>
> ipa server-role-find
>
> will show all known roles.
>
I appreciate IPA, trust me, a lot, I'm sure we all do (if it
ever was put to vote, for best innovating(in every way)
product in Linux sphere in recent years, I'd only hesitate
because of systemd, but would give my vote to freeipa) and
what is already there in IPA command line.
But, I'm sure you can see that what I'm suggesting is quite
different from what 'ipa server-role-find' does. Actually,
interestingly, systemd covers those bits.
$ ipa is-ca-renewal-master && echo Yeaahh
Those would be really good to have. I cannot guess how many,
but possibly for those most interesting questions the
results would be great to have given by ipa is*.
Anyway, that is what I think, but by no means I'd imply that
lack of it diminishes IPA whatsoever.
You can wrap around IPA for this already. We
don't have a handy tool and
I understand you want one but there are few things you need to consider:
- server roles' attributes are dynamic. CA Renewal master can be moved
around, for example
- access to certain information requires authentication. Anything that
is dynamically discovered from IPA datastore needs authentication
This pretty much removes ability to easily query 'ipa something' as you
need to be authenticated. But once you are authenticated, you can
request that information easily.
So we have two separate commands:
- for server role status you do 'ipa server-role-find' to see all
servers and associated roles
- for aspects of those roles you can use 'ipa config-show' to see those
aspects.
There are four aspects right now:
IPA masters: <hostname>
IPA CA servers: <hostname>
IPA CA renewal master: <hostname>
IPA master capable of PKINIT: <hostname>
If you want to write a tool, 'ipa console' can be used to get low-level
access to the data:
$ cat ~/todo/serverroles.console
result = api.Command.config_show()['result']
keys = ['ca_server_server', 'ca_renewal_master_server',
'ipa_master_server', 'pkinit_server_server']
for key in keys:
print("{key}: {value}".format(key=key, value=result[key]))
$ ipa console ~/todo/serverroles.console
ca_server_server: ('master.example.com',)
ca_renewal_master_server:
master.example.com
ipa_master_server: ('master.example.com',)
pkinit_server_server: ('master.example.com',)
You can format the data as you want. CA renewal master is a single one,
so it is returned as a single element. Other aspects can be presented on
multiple systems and thus return lists.
I'm not against having something handy in the tooling but I think you
already have means to bootstrap your needs even without modifications of
IPA itself.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland