Since the CS would be optionally installable on replicas the CS requests against such replicas should be redirected to other servers.
- Replica should be able to detect that there is no CS installed and redirect to another replica where CS is installed - Algorithm of failover should be sorted out. For example we have master and two replicas one with CS and another is without. The one that does not have CS should redirect to either primary or other replica. But say replica does not have a direct replication agreement with other replica. Would it still be able to redirect? How the server to which to redirect is chosen? What happens if chosen server is down? How redirect with failover would work then?
Should we consider enhancing clients like certmonger and ipa-client to be able to be redirected if they connected to the replica that does not have CS?
No redirection on the IPA server will be necessary. The server will figure out which CA to contact.
We may be able to do failover, not sure it will be in first iteration. The installed services are available to each master so we can find the installed CAs and pick one.
The issues I am concerned about are: - How we pick the one? Are we going to factor in topology or not? - What we should do if the one we picked did not respond? Fail the request and return the error or try more? How many? At what time we timeout and say enough?
Yup, those are the important questions.
All servers are equals so it shouldn't matter which one we choose conceptually but it might make a difference topology-wise (e.g. it may always pick the most expensive server). We have no insight into that though so we'd have to do some random pick.
What I'm suggesting is the first iteration may be try one and if it fails, fail the request.
It may be simple to loop over them and keep on trying, so who knows, maybe we can do that. For failover I'd say we keep trying until we either succeed or run out of servers.
Talked to Nalin. He agreed to take it over.
basically what rcritten suggests 0001-Select-a-server-with-a-CA-on-it-when-submitting-sign.patch
master: df0b927
Metadata Update from @dpal: - Issue assigned to nalin - Issue set to the milestone: FreeIPA 2.1 - 2011/06
Login to comment on this ticket.