Automember_rebuild_membership#
Overview#
Integrate the rebuild membership feature of the automember DS plugin into IPA CLI and Web UI.
Use Cases#
Make sure that user or host membership can be easily rebuilt, based on new or updated automember rules.
Design#
Add a new CLI command ipa automember-rebuild, to rebuild auto
membership for specified entries. Hook the command into web UI
appropriately.
Note that automember rebuild command only adds new membership relationship, it does not remove those that do not match automember rules.
Implementation#
The newly added command will invoke the
automember rebuild membership task, by creating an LDAP entry under
cn=automember rebuild membership,cn=tasks,cn=config. The details of
automember plugin tasks implementation and usage are described
here.
Feature Management#
UI
Hook the new command into the web UI: to the user and host pages. Add a new action ‘Rebuild auto membership’, and place it appropriately on these pages.
On the user search facet, add the new action to the action list. This makes it possible to rebuild auto membership for multiple users. Executing the action without selecting any users will run the task for all the users (using –type=group).
On the user details facet, add the new action to the action list. This makes it possible to rebuild automembership for a single user.
On the host search facet, add the new action to the action list. This makes it possible to rebuild auto membership for multiple hosts.
Executing the action without selecting any hosts will run the task for all the hosts (using –type=hostgroup).
On the host details facet, add the new action to the action list. This makes it possible to rebuild automembership for a single host.
CLI
ipa automember-rebuild can be used to rebuild membership for all
objects of certain type:
$ ipa automember-rebuild --type=group
$ ipa automember-rebuild --type=hostgroup
It can also be used to rebuild membership for the specified entries:
$ ipa automember-rebuild --hosts=HOSTNAME1 --hosts=HOSTNAME2
$ ipa automember-rebuild --users=LOGIN1 --users=LOGIN2
Updates and Upgrades#
A new ACI, a permission and a privilege will be created in order to support creation of automember tasks:
privilege:
Automember Task Administrator, which will contain two permissions listed belowpermission:
Add Automember Rebuild Membership Taskunderlying ACI for the permission listed above
How to Test#
Add a hostgroup:
`` $ ipa hostgroup-add –desc=”Web Servers” webservers``
Add a host:
`` $ ipa host-add web1.example.com –force``
Add an automember rule:
$ ipa automember-add --type=hostgroup webservers
$ ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers
The automember feature is now working for newly added entries. If we add a new host, it will be automatically placed in the appropriate hostgroup:
$ ipa host-add web2.example.com --force
$ ipa hostgroup-show webservers
Host-group: webservers
Description: Web Servers
Member hosts: web2.example.com
However, the old host entry for web1.example.com is still not a
member or the webservers hostgroup. By introducting the new
automember-rebuild commands, we make it possible:
`` $ ipa automember-rebuild –type=hostgroup``
or
`` $ ipa automember-rebuild –hosts=web1.example.com``
will run the automember rebuild membership task and consequently
place the host in the appropriate hostgroup:
$ ipa hostgroup-show webservers
Host-group: webservers
Description: Web Servers
Member hosts: web2.example.com, web1.example.com
The same mechanism applies for users and groups.
Test Plan#
See test_automember_plugin.py for the list of test cases.