[Freeipa-devel] Sudorules user validation help
Drew Erny
derny at redhat.com
Wed May 27 18:41:34 UTC 2015
Hey, Freeipa-devel,
I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226)
I've identified the problem. The sudorules add user command adds the
user validations at the end of it's pre-callback using
add_external_pre_callback. However, the "user" plugin pattern-matches a
string for the "uid" param, because it only allows certain characters.
I've been picking through the codebase and I think I have enough
understanding to ask this: What if we changed the user "uid" validation
to a standalone "rule" function (you can do that, right? pass in a
function as a validation rule?) that would normally just assert that the
pattern matches, but could have that pattern matching validation
overridden in some cases. I think that's the easiest, cleanest way to
change user so that sudorules and other plugins can ignore this
validation if necessary (I'm trying to figure out exactly how to
implement this without changing any APIs).
Am I understanding the plugin params API correctly, and can I do this?
Is this the best way to do this?
The only other solution I see is to write sudorules-specific code in
some plugin-related (either user.py or baseldap.py module, which would
create unwanted coupling.
Most specifically, this would be a change to the object instantiated at
ipalib/plugins/user.py line 467
Thoughts and suggestions?
Thanks,
Drew Erny
derny at redhat.com
More information about the Freeipa-devel
mailing list