[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

[Simo Sorce]

On Thu, 2016-09-01 at 14:09 +0200, Standa Laznicka wrote:
> The class ipaHBACRuleV2 is dynamically switched to from ipaHBACRule
> upon 
> addition of a time rule to a certain HBAC rule.

Honestly I am against this.

If you really want the two objects to be incompatible then you tell the
admin he can't add time rules to old objects.
The new object type should clearly identified as a new rule type and the
admin will have to create a new rule of the correct type and
remove/disable or retain the old rule as he prefers.

I do not think we should ever try to switch objectclasses dynamically.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York