groups/minion lookup refactor? Re: [PATCH] Subgroups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Wouter Spee wrote:

Hi,

Attached is a patch which enables the use of one-level-deep subgroups.
The subgroup definition takes the following form:

[webservers]
host = http1.example.com; http2.example.com

[mailservers]
host = mail1.example.com; mail2.example.com

[webmail]
subgroup = mailservers; webserver


Applied and pushed. Thanks!
All of that minion name and group name code could probably eventually use a cleanup though (all of the code that is, I'm not calling out your patch or anything ;-> ). It's gotten 
to be pretty gnarly for what should probably be pretty simple.

A few ideas that have been bouncing in my head on what we should be able to
do:
1. Make it pluggable. Ideally, we'd be able to plug in other backends to that code in place of the current file based approach. One obvious plugin would be some sort of LDAP support. Another would perhaps be using a sqlite db for the minion names/certs/groups. I suspect the current code will get pretty slow with a significant number of minions, since we're could be loading all of the certs from indivual files on a "func '*'". Ideally, certmaster would change correspondingly.
2. Groups should be more flexible. Ideally, arbitrary sub grouping should be supported. It would be nice if groups/aliases could match against queries (be it glob, regex, ldap, or whatever the backend supports). aka, webservers = www*.example.com as a group.
3. negation support in minion selections. A couple folks have requested support for something like 
"func '*' --exlude 'www*' do whatever" and that seems like a good idea.
4. independence from certmaster style certs. In theory, we support puppet ca style certs, but it would be nice if we could run sans certmaster (and use puppet certs, or whatever method a user has for getting certs [ldap, etc]). I'm mostly thinking of operation, not code depenencies between func/certmaster, which is also a possibility).
Not sure what to do about minion side acl support. Right now it's solely based on the overlord cert making the request. It would be nice if acl's could be based on group defination as well, but that requires a centralized source for the group definations (say, ldap...). I suppose minions could query the certmaster for group def's, but I think I'd rather avoid that. 

Thoughts?

Adrian

_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux