[Freeipa-devel] [WIP] Add command to test HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 25 15:05:14 UTC 2011
On 25.07.2011 17:13, Dmitri Pal wrote:
> On 07/25/2011 10:12 AM, Rob Crittenden wrote:
>> My only problem with --all is it means we'd have an option with
>> different meaning in different contexts. Would this cause confusion?
>
> Yes this is exactly where I am coming from too.
I see where you are going but the problem here is that original --all
has one important issue:
- it changes CLI output even if I don't use output.Entry() in the
plugin's has_output spec.
This creates confusion from other perspective -- we can't use --all for
saying 'I want the simulation to apply to ALL IPA enabled rules' and
this makes impossible to distinguish two cases:
- I want to run simulation against enabled IPA rules and the ones I
specified in --rules command *with* detailed information which rules
passed and which are not (ipa hbactest --rules=[list] --all --detail).
- I want to run simulation against enabled IPA rules and the ones I
specified in --rules command *without* detailed information which rules
passed and which are not (ipa hbactest --rules=[list] --all).
I had to override output_for_cli() to disable this behavior.
I'd love to disable standard --all and --raw for hbactest command
because they make little sense for it. If --all is seen as confusion
with regards to uniform handling with other options, I can propose two
following options:
--enabled -- add all enabled IPA rules into simulation
--disabled -- add all disabled IPA rules into simulation
ipa [...] --rules=[list] --[enabled|disabled] [--detail]
would cover:
1. Test user against rules specified in --rules, optionally adding all
enabled (disabled) IPA rules and show detailed information which rules
passed and which not.
2. Test user against rules specified in --rules, optionally adding all
enabled (disabled) IPA rules and report whether user would pass the check.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list