Jump to: navigation, search

V4/Automember rebuild membership

Name: V4/Automember rebuild membership
Tickets: #3752 , #3928
Target version: 4.1.0
Incomplete.png Pending review
Last updated: 2016-04-25 by Alich

Overview

Integrate the rebuild membership feature of the automember DS plugin into IPA CLI and Web UI.

Use Cases

Make sure that user or host membership can be easily rebuilt, based on new or updated automember rules.

Design

Add a new CLI command ipa automember-rebuild, to rebuild auto membership for specified entries. Hook the command into web UI appropriately.

Note that automember rebuild command only adds new membership relationship, it does not remove those that do not match automember rules.

Implementation

The newly added command will invoke the automember rebuild membership task, by creating an LDAP entry under cn=automember rebuild membership,cn=tasks,cn=config. The details of automember plugin tasks implementation and usage are described here.

Note.png
Note
Initially, there was an idea to implement a --dry-run option for the automember rebuild command, which would only show what changes would be made, without actually performing any updates. This option would utilize the automember export updates task to obtain a list of changes to be made which would then be displayed to the user. Due to issues with accessing the resulting LDIF file of the automember export updates task, the decision was made not to implement the --dry-run option. An RFE ticket was opened with the 389-DS project, to provide a better way of accessing results of the automember export updates task. The complete discussion on the subject can be found on the related email thread on the freeipa-devel mailing list.

Feature Management

UI

Hook the new command into the web UI: to the user and host pages. Add a new action 'Rebuild auto membership', and place it appropriately on these pages.

  • On the user search facet, add the new action to the action list. This makes it possible to rebuild auto membership for multiple users. Executing the action without selecting any users will run the task for all the users (using --type=group).
  • On the user details facet, add the new action to the action list. This makes it possible to rebuild automembership for a single user.
  • On the host search facet, add the new action to the action list. This makes it possible to rebuild auto membership for multiple hosts.

Executing the action without selecting any hosts will run the task for all the hosts (using --type=hostgroup).

  • On the host details facet, add the new action to the action list. This makes it possible to rebuild automembership for a single host.

CLI

ipa automember-rebuild can be used to rebuild membership for all objects of certain type: 

   $ ipa automember-rebuild --type=group
   $ ipa automember-rebuild --type=hostgroup

It can also be used to rebuild membership for the specified entries: 

   $ ipa automember-rebuild --hosts=HOSTNAME1 --hosts=HOSTNAME2
   $ ipa automember-rebuild --users=LOGIN1 --users=LOGIN2

Updates and Upgrades

A new ACI, a permission and a privilege will be created in order to support creation of automember tasks:

  • privilege: Automember Task Administrator, which will contain two permissions listed below
  • permission: Add Automember Rebuild Membership Task
  • underlying ACI for the permission listed above

How to Test

Add a hostgroup: 

   $ ipa hostgroup-add --desc="Web Servers" webservers

Add a host: 

   $ ipa host-add web1.example.com --force

Add an automember rule: 

   $ ipa automember-add --type=hostgroup webservers
   $ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers

The automember feature is now working for newly added entries. If we add a new host, it will be automatically placed in the appropriate hostgroup: 

   $ ipa host-add web2.example.com --force
   $ ipa hostgroup-show webservers
     Host-group: webservers
     Description: Web Servers
     Member hosts: web2.example.com

However, the old host entry for web1.example.com is still not a member or the webservers hostgroup. By introducting the new automember-rebuild commands, we make it possible: 

   $ ipa automember-rebuild --type=hostgroup

or 

   $ ipa automember-rebuild --hosts=web1.example.com

will run the automember rebuild membership task and consequently place the host in the appropriate hostgroup: 

   $ ipa hostgroup-show webservers
     Host-group: webservers
     Description: Web Servers
     Member hosts: web2.example.com, web1.example.com

The same mechanism applies for users and groups.

Test Plan

See test_automember_plugin.py for the list of test cases.

RFE Author

akrivoka (talk)

Retrieved from "https://www.freeipa.org/index.php?title=V4/Automember_rebuild_membership&oldid=12841"