<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 07/25/2011 10:06 AM, Jenny Galipeau wrote: <blockquote cite="mid:1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com" type="cite"> <style type="text/css">p { margin: 0; }</style> <div style="font-family: Times New Roman; font-size: 12pt; color: rgb(0, 0, 0);"> <hr id="zwchr"> <blockquote id="DWT2867" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> On 07/25/2011 07:59 AM, Alexander Bokovoy wrote: <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>On 22.07.2011 23:10, Alexander Bokovoy wrote: </pre> <blockquote> <blockquote> <pre>So this is a little confusing. I thought --rules limited the rules that were considered. Maybe I'm misunderstanding it. </pre> </blockquote> <pre>--validate + --rules gives limitation, --rules alone adds more rules to the existing test set which is all enabled rules in IPA. </pre> </blockquote> <pre>I reworked a bit command line interface to avoid confusion like that. # ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, all enabled rules are tested --detail Detail rule execution --all Include all enabled IPA rules into test Now if you specify --rules, hbactest will only try to simulate login using these rules. You would need to add --all to force considering all IPA enabled rules. </pre> </blockquote> I like the functionality but --all does not sound right, may be it should be --enabled or something else. </blockquote> how about : --disabled --all (both enabled and disabled) and default without specifying either would be just enabled. <blockquote id="DWT2868" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>When no --rules are specified, simulation is run against all enabled IPA rules. --validate got replaced by --detail which simply tries to run simulation one by one and report results for each rule. You can apply it for any run, with or without --rules and --all. </pre> </blockquote> May me --detail should something like --each or --checkeach or --iterate. The expectation about the term "detail" is a bit different. The functionality seems OK though. </blockquote> I too am confused with --detail. What does "Detail rule execution" mean? I do not like --iterate, this is a developer term and not specific to what the user should expect as a behavior. <blockquote id="DWT2869" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>If --rules contains a name of non-existent rule, it is simply ignored. So if I asked to verify against --rule=foobar where there is no such rule, Should there be error message for such cases? Right now you'll get False (access is not granted) and --detail will not show any rules. </pre> </blockquote> It should be an error IMO. The reason is that you might have miss-typed something and think you checked the rule that you miss-typed but it would turn out that you did not. </blockquote> +1 error - this would match the behavior of all other CLIs. <blockquote id="DWT2870" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>Now, the only mode left out is batch verification of all disabled rules for purpose of checking their correctness.</pre> </blockquote> The more I think about it the more I lean towards just having --disabled to include all disabled rules instead of listing them explicitly in --rules. It is more a convenience aggregation than any different in behavior. </blockquote> Again ... how about : --disabled --all (both enabled and disabled) and default without specifying either would be just enabled. <blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre> Suppose we have a switch --show-invalid that takes all IPA rules and runs a simulation request against them, reporting the ones that are invalid only. </pre> </blockquote> Invalid in what way? I am not sure we can detect validity of the rules. The whole point of the tool was to detect whether a real or test user will be denied or allowed and whether it is expected or not. <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>Such a request could be done without any specific (user, source host, target host, service) tuple because we are only interested in HBAC_EVAL_ERROR return </pre> </blockquote> I am not sure I understand. What kind of condition would return such an error? <blockquote cite="mid:4E2D5AB9.4010104@redhat.com"> <pre>code which is independent of input parameters. Unfortunately all we can tell in this case is that rule is incorrect, without much details. Probably some improvement for libipa_hbac is needed, like converting request result into a bit field and returning detailed cause of error per tuple element. Current version is attached. It still lacks unit tests. </pre> <pre><fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-devel mailing list <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a> <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> <pre class="moz-signature">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> _______________________________________________ Freeipa-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></blockquote> -- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> Jenny Galipeau <a class="moz-txt-link-rfc2396E" href="mailto:jgalipea@redhat.com"><jgalipea@redhat.com></a> Principal Software QA Engineer Red Hat, Inc. Security Engineering </div> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-devel mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre> </blockquote> How about: --all means all rules --enabled means all enabled rules; it can be used with the specific values like this --enabled=A,B,C then it will include only those enabled rules --disabled means all disabled rules; it can be used with the specific values like this --disabled=X,Y,Z then it will include only those disabled rules Eliminate --rules. <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>