*<dpal> rcrit, ayoung our UI and CLI allow pretty distractive things like removing keytab or cert of the core services or host. Such actions would lead to the installation to become unusable.
*<dpal> I think we should have some ways to prevent this.
*<dpal> May be for each server we add we explicitely remove the permissions to modify these services and hosts
*<dpal> What do you think?
*<rcrit> there would need to be an override
*<rcrit> need to be able to renew certs, keytabs, etc
*<ayoung> rcrit, there would be; the acis
*<rcrit> acis don't do overrides
*<ayoung> no, I mean, you go to the aci, turn off the rule, do the update, then turn it back on
*<rcrit> ew
*<dpal> rcrit, I do not know how to do it. We need to design it better. I will file a ticket
*<rcrit> I think an additional flag is probably better
*<dpal> But then we would have to handle it in UI too, right?
*<dpal> So logic will be: the plugin will detect that it is a critical server or host and will return a special attribute in the RPC/JSON call. The CLI will see if there is an override flag. If there is it will proceed in not return error. The UI will put a scary message or even say that such operation is not allowed from UI do it from command line.
*<dpal> rcrit, agree?
*<rcrit> uh, boy, that's really convoluted
*<rcrit> there are lots of services, this has to apply to replicas too
*<dpal> rcrit, it has to apply to all hosts that are in the replica table and all HTTP & LDAP services that are running on such hosts
*<rcrit> and DNS and host and perhaps others too
*<dpal> I do not think that determining this would be a hard task
*<dpal> rcrit, yes you are right
*<dpal> but it is still a finite list
*<rcrit> yes, I think we can get this from simo's new replica info
*<dpal> Yes. Viva simo! I will create a ticket.
*<rcrit> I think for the UI if we have a force checkbox that triggers an alert that when checked says "you are a crazy person for doing this but ok"
*<rcrit> on the cli you get what you ask for
*<dpal> rcrit, I think doing this from UI should be prohibited
*<rcrit> why?
*<dpal> If you are messing with these things you would have to use CLI anyways
*<dpal> so just go to CLI and do everything there
*<rcrit> ok, it just goes against our policy of "if you can do it on the cli you can do it in the ui"
*<dpal> To make sure you are not just doing it by mistake
*<dpal> rcrit, not exactly, it is a special case for the services and hosts that are a part of the infrastructure
*<rcrit> alright, I agree that it is necessary but this is a pretty big thing to integrate in the last week of development
*<dpal> We will triage
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: Tickets Deferred
ipa-3-0: d4a1dc5
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.