Draft Test Cases for Fedora Server Final Criteria

Adam Williamson adamwill at fedoraproject.org
Fri Nov 21 00:23:17 UTC 2014


On Mon, 2014-11-17 at 14:32 -0500, Stephen Gallagher wrote:
> 
> 
> On Tue, 2014-11-04 at 16:58 -0500, Stephen Gallagher wrote:
> > So, at today's Server WG meeting, I was asked to come up with a
> > high-level draft of some additional requirements to validate for Final
> > criteria. Most of these probably should be Beta criteria in F22, but we
> > didn't have them as such this time around. I'll differentiate them as
> > such below. It should be understood that Final validation is a superset
> > of Beta validation, so anything we add in that category applies to both.
> > 
> > == Beta Criteria ==
> > 
> > === Domain Controller ===
> > * The Domain Controller must be capable of serving LDAP requests on port
> > 389. This should be validated by the use of the ldapsearch tool.
> > 
> > * The Domain Controller must be capable of serving TLS-encrypted LDAP
> > requests on port 389. This should be validated by the use of the
> > ldapsearch tool.
> > 
> > * The Domain Controller must be capable of serving LDAPS (LDAP encrypted
> > with SSL) over port 636. This should be validated by the use of the
> > ldapsearch tool.
> > 
> > * The Domain Controller must be capable of returning LDAP and LDAPS
> > search results using simple auth (the -x option to ldapsearch) or
> > SASL/GSSAPI auth (the -Y GSSAPI option). This should be validated by the
> > use of the ldapsearch tool.
> > 
> > * The Domain Controller must be capable of serving DNS host records on
> > port 53. This should be validated by the use of the 'dig' tool.
> > 
> > === FreeIPA Domain Client ===
> > * Enrolled clients must be capable of authenticating against a valid
> > user account using SSSD.
> > * Enrolled clients must honor FreeIPA HBAC rules for access-control.
> > * Enrolled clients must be able to change their passwords according to
> > the password policy specified by the FreeIPA server
> > * Users must be capable of performing password-less single-sign-on
> > between two enrolled clients using GSSAPI.
> > 
> > 
> > == Final Criteria ==
> > 
> > === Domain Controller ===
> > * The Domain Controller must be capable of serving DNS SRV records for
> > ldap and kerberos on port 53. This is used for auto-discovery.
> > 
> > === FreeIPA Domain Client ===
> > * When configured to use the Domain Controller for DNS services, the
> > domain client must be able to use DNS to discover the Domain Controller
> > address using SRV records.
> > 
> > * When configured to use FreeIPA for host-key validation, initial SSH
> > between domain clients should not prompt the user to accept the SSH
> > public key.
> 
> 
> Any other comments on this? We enter Freeze tomorrow and I'd like for us
> to have a clear view of what we're willing to block on.

As these were approved at a meeting I will tweak them up a bit and add
them to the criteria pages. however, I'd add a side note that they clash
a tad with the overall design philosophy of the existing criteria, which
is generally to emphasize the ultimate user/admin-visible behaviour. To
take the clearest example, consider this criterion:

"The Domain Controller must be capable of serving DNS SRV records for
ldap and kerberos on port 53. This is used for auto-discovery."

The general approach taken by the current criteria would be to write a
requirement that auto-discovery of controllers must work - i.e. focus on
the ultimate desired behaviour (the auto-discovery), not require a
specific technical behaviour that is currently used to implement it
'serve a DNS SRV record for these services on this port'). The basic
idea is that the technical implementation of desired behaviours is
likely to change more often than the desired behaviours themselves,
hence leading to more work to keep the criteria up to date if the
'describe specific technical implementation details' approach is taken.

I don't think it's a critical problem, especially for the requirements
which are specific to the domain controller role, as we want to separate
those from the release criteria per se for F22+ anyway - I just thought
I'd note it.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net



More information about the server mailing list