[Freeipa-devel] [WIP] Add command to test HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 26 03:23:13 UTC 2011
On 26.07.2011 00:13, Dmitri Pal wrote:
>> By default, if you don't supply --rules, --enabled, or --disabled, you
>> are targeting all enabled IPA rules (case 1 above). This is default
>> because this is what people would probably like to test: whether user is
>> able to access the service.
>>
>> So, default one (no --rules, --enabled, or disabled) would imply --enabled.
>>
>
> Ok are we settled on:
> --enabled (if all flags are omitted this is default)
> --disabled
> --rules=a,b,c
Yes, this is my proposal too.
> or on
> --enabled=A, B, C (if all flags are omitted this is default)
> --disabled=X, Y, Z
I would rather not use this form, it does create confusion. To an user
of a command is more important to specify a rule rather than remember
whether rule was enabled or disabled in the database. It is hbactest
responsibility to find the rule, convert it to enabled if it was
explicitly specified, and use for simulation. Making
--enabled/--disabled taking arguments introduces unneeded information
waste into operation.
I'll send updated patch proposal today.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list