[Freeipa-devel] Screens For HBAC Testing (Ticket #388)
Endi Sukma Dewata
edewata at redhat.com
Thu Nov 10 17:06:54 UTC 2011
On 11/9/2011 4:32 PM, Dmitri Pal wrote:
> Since "from" host is unreliable, one of the latest decisions in SSSD was
> to ignore "from" host part of the rule by default (causes a lot of
> performance issues too) and have a config parameter to explicitly not
> ignore it. I think the UI should reflect in some way that "From" should
> not be generally used and not an "equal" citizen of the HBAC rule. We
> probably should update the existing UI too to discourage people from
> using it and also document it in man pages for HBAC and in the docs.
In HBAC test we can add a note saying the source host is optional. In
HBAC rule the default source host category is 'all', which has the same
effect. Should we display a warning when the category is changed?
The CLI will be changed to accept empty source host:
https://fedorahosted.org/freeipa/ticket/2085
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list