<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/25/2011 10:06 AM, Jenny Galipeau wrote:
<blockquote
cite="mid:1575370435.223909.1311602801326.JavaMail.root@zmail05.collab.prod.int.phx2.redhat.com"
type="cite">
<style type="text/css">p { margin: 0; }</style>
<div style="font-family: Times New Roman; font-size: 12pt; color:
rgb(0, 0, 0);"><br>
<br>
<hr id="zwchr">
<blockquote id="DWT2867" style="border-left: 2px solid rgb(16,
16, 255); margin-left: 5px; padding-left: 5px;"> On 07/25/2011
07:59 AM, Alexander Bokovoy wrote:
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>On 22.07.2011 23:10, Alexander Bokovoy wrote:
</pre>
<blockquote>
<blockquote>
<pre>So this is a little confusing. I thought --rules limited the rules that
were considered. Maybe I'm misunderstanding it.
</pre>
</blockquote>
<pre>--validate + --rules gives limitation, --rules alone adds more rules to
the existing test set which is all enabled rules in IPA.
</pre>
</blockquote>
<pre>I reworked a bit command line interface to avoid confusion like that.
# ipa hbactest --help
Usage: ipa [global-options] hbactest [options]
Options:
-h, --help show this help message and exit
--user=STR User name
--srchost=STR Source host
--host=STR Target host
--service=STR Service
--rules=LIST Rules to test. If not specified, all enabled rules are
tested
--detail Detail rule execution
--all Include all enabled IPA rules into test
Now if you specify --rules, hbactest will only try to simulate login
using these rules. You would need to add --all to force considering all
IPA enabled rules.
</pre>
</blockquote>
<br>
I like the functionality but --all does not sound right, may
be it should be --enabled or something else.<br>
</blockquote>
how about :<br>
--disabled<br>
--all (both enabled and disabled)<br>
<br>
and default without specifying either would be just enabled.
<blockquote id="DWT2868" style="border-left: 2px solid rgb(16,
16, 255); margin-left: 5px; padding-left: 5px;"> <br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>When no --rules are specified, simulation is run against all enabled IPA
rules.
--validate got replaced by --detail which simply tries to run simulation
one by one and report results for each rule. You can apply it for any
run, with or without --rules and --all.
</pre>
</blockquote>
<br>
May me --detail should something like --each or --checkeach or
--iterate. The expectation about the term "detail" is a bit
different. The functionality seems OK though.<br>
</blockquote>
<br>
I too am confused with --detail. What does "<span
style="font-family: monospace;"></span>Detail rule execution"
mean? I do not like --iterate, this is a developer term and not
specific to what the user should expect as a behavior.<br>
<blockquote id="DWT2869" style="border-left: 2px solid rgb(16,
16, 255); margin-left: 5px; padding-left: 5px;"> <br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>If --rules contains a name of non-existent rule, it is simply ignored.
So if I asked to verify against --rule=foobar where there is no such
rule, Should there be error message for such cases? Right now you'll get
False (access is not granted) and --detail will not show any rules.
</pre>
</blockquote>
<br>
It should be an error IMO. The reason is that you might have
miss-typed something and think you checked the rule that you
miss-typed but it would turn out that you did not. <br>
</blockquote>
<br>
+1 error - this would match the behavior of all other CLIs.<br>
<blockquote id="DWT2870" style="border-left: 2px solid rgb(16,
16, 255); margin-left: 5px; padding-left: 5px;"> <br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>Now, the only mode left out is batch verification of all disabled rules
for purpose of checking their correctness.</pre>
</blockquote>
<br>
The more I think about it the more I lean towards just having
--disabled to include all disabled rules instead of listing
them explicitly in --rules. It is more a convenience
aggregation than any different in behavior.<br>
</blockquote>
Again ...<br>
<br>
how about :<br>
--disabled<br>
--all (both enabled and disabled)<br>
<br>
and default without specifying either would be just enabled.<br>
<blockquote style="border-left: 2px solid rgb(16, 16, 255);
margin-left: 5px; padding-left: 5px;"> <br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre> Suppose we have a switch
--show-invalid that takes all IPA rules and runs a simulation request
against them, reporting the ones that are invalid only. </pre>
</blockquote>
<br>
Invalid in what way? I am not sure we can detect validity of
the rules. The whole point of the tool was to detect whether a
real or test user will be denied or allowed and whether it is
expected or not.<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>Such a request
could be done without any specific (user, source host, target host,
service) tuple because we are only interested in HBAC_EVAL_ERROR return
</pre>
</blockquote>
<br>
I am not sure I understand. What kind of condition would
return such an error?<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>code which is independent of input parameters. Unfortunately all we can
tell in this case is that rule is incorrect, without much details.
Probably some improvement for libipa_hbac is needed, like converting
request result into a bit field and returning detailed cause of error
per tuple element.
Current version is attached. It still lacks unit tests.
</pre>
<pre><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a><br>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></blockquote>
<br>
<span><br>
<br>
-- <br>
<span name="x"></span>Looking to carve out IT costs?<br>
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a><br>
<br>
Jenny Galipeau <a class="moz-txt-link-rfc2396E" href="mailto:jgalipea@redhat.com"><jgalipea@redhat.com></a><br>
Principal Software QA Engineer<br>
Red Hat, Inc. Security Engineering<span name="x"></span><br>
</span></div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
How about: <br>
<br>
--all means all rules<br>
--enabled means all enabled rules; it can be used with the specific
values like this --enabled=A,B,C then it will include only those
enabled rules<br>
--disabled means all disabled rules; it can be used with the
specific values like this --disabled=X,Y,Z then it will include only
those disabled rules<br>
Eliminate --rules.<br>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>