[Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar

Fri Nov 19 14:11:08 UTC 2010

On Fri, 19 Nov 2010 13:41:09 +0100
Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote:
> > On Thu, 18 Nov 2010 16:23:38 +0100
> > Jakub Hrozek <jhrozek at redhat.com> wrote:
> > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > 
> > > On 11/18/2010 02:24 PM, Simo Sorce wrote:
> > > > On Thu, 18 Nov 2010 07:21:04 -0500
> > > > Stephen Gallagher <sgallagh at redhat.com> wrote:
> > > > 
> > > >> Doing the forward septets is easy (1*x..7*x), but the reverse
> > > >> septets are more complicated (since they would be
> > > >> (y-1*x..y-7*x), where y is the total number of days in the
> > > >> month (which also has to account for leap years).
> > > >>
> > > >> I think it might be a nice enhancement, but I recommend that
> > > >> we not include it right now, given the tight release schedule
> > > >> for FreeIPA v2.
> > > > 
> > > > As I said before it is a now or never condition.
> > > > If you do not put it in now, then when you put it in, old
> > > > clients will not understand the rule. And they will have only
> > > > one option, always deny access, because they have no way to
> > > > understand when it is ok to allow/deny it.
> > > > 
> > > > Simo.
> > > > 
> > > 
> > > In that case, should we have some version identifier, too? In
> > > case we identify some flaw later on and need to change the format
> > > once again.
> > 
> > And what should a client do when it finds a version it does not
> > understand ?
> > 
> > Simo.
> > 
> 
> At least log it. If the client finds a HBAC rule it does not
> understand it would just error out (which is the better case, what if
> the syntax in the new version was the same but semantics not?)

Exactly.
So as soon as you store a new rule all machines with the older client
will start refusing every access ... not a good idea imo.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York