<html><head><style type='text/css'>p { margin: 0; }</style></head><body><div style='font-family: Times New Roman; font-size: 12pt; color: #000000'><br><br><hr id="zwchr"><blockquote id="DWT2867" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">
On 07/25/2011 07:59 AM, Alexander Bokovoy wrote:
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>On 22.07.2011 23:10, Alexander Bokovoy wrote:
</pre>
<blockquote>
<blockquote>
<pre>So this is a little confusing. I thought --rules limited the rules that
were considered. Maybe I'm misunderstanding it.
</pre>
</blockquote>
<pre>--validate + --rules gives limitation, --rules alone adds more rules to
the existing test set which is all enabled rules in IPA.
</pre>
</blockquote>
<pre>I reworked a bit command line interface to avoid confusion like that.
# ipa hbactest --help
Usage: ipa [global-options] hbactest [options]
Options:
-h, --help show this help message and exit
--user=STR User name
--srchost=STR Source host
--host=STR Target host
--service=STR Service
--rules=LIST Rules to test. If not specified, all enabled rules are
tested
--detail Detail rule execution
--all Include all enabled IPA rules into test
Now if you specify --rules, hbactest will only try to simulate login
using these rules. You would need to add --all to force considering all
IPA enabled rules.
</pre>
</blockquote>
<br>
I like the functionality but --all does not sound right, may be it
should be --enabled or something else.<br></blockquote>how about :<br>
--disabled<br>
--all (both enabled and disabled)<br>
<br>
and default without specifying either would be just enabled.<blockquote id="DWT2868" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>When no --rules are specified, simulation is run against all enabled IPA
rules.
--validate got replaced by --detail which simply tries to run simulation
one by one and report results for each rule. You can apply it for any
run, with or without --rules and --all.
</pre>
</blockquote>
<br>
May me --detail should something like --each or --checkeach or
--iterate. The expectation about the term "detail" is a bit
different. The functionality seems OK though.<br></blockquote><br>I too am confused with --detail. What does "<span style="font-family: monospace;"></span>Detail rule execution" mean? I do not like --iterate, this is a developer term and not specific to what the user should expect as a behavior.<br><blockquote id="DWT2869" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>If --rules contains a name of non-existent rule, it is simply ignored.
So if I asked to verify against --rule=foobar where there is no such
rule, Should there be error message for such cases? Right now you'll get
False (access is not granted) and --detail will not show any rules.
</pre>
</blockquote>
<br>
It should be an error IMO. The reason is that you might have
miss-typed something and think you checked the rule that you
miss-typed but it would turn out that you did not. <br></blockquote><br>+1 error - this would match the behavior of all other CLIs.<br><blockquote id="DWT2870" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>Now, the only mode left out is batch verification of all disabled rules
for purpose of checking their correctness.</pre>
</blockquote>
<br>
The more I think about it the more I lean towards just having
--disabled to include all disabled rules instead of listing them
explicitly in --rules. It is more a convenience aggregation than any
different in behavior.<br></blockquote>Again ...<br><br>how about :<br>--disabled<br>--all (both enabled and disabled)<br><br> and default without specifying either would be just enabled.<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;">
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre> Suppose we have a switch
--show-invalid that takes all IPA rules and runs a simulation request
against them, reporting the ones that are invalid only. </pre>
</blockquote>
<br>
Invalid in what way? I am not sure we can detect validity of the
rules. The whole point of the tool was to detect whether a real or
test user will be denied or allowed and whether it is expected or
not.<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>Such a request
could be done without any specific (user, source host, target host,
service) tuple because we are only interested in HBAC_EVAL_ERROR return
</pre>
</blockquote>
<br>
I am not sure I understand. What kind of condition would return such
an error?<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com">
<pre>code which is independent of input parameters. Unfortunately all we can
tell in this case is that rule is incorrect, without much details.
Probably some improvement for libipa_hbac is needed, like converting
request result into a bit field and returning detailed cause of error
per tuple element.
Current version is attached. It still lacks unit tests.
</pre>
<pre><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
<br>_______________________________________________<br>Freeipa-devel mailing list<br>Freeipa-devel@redhat.com<br>https://www.redhat.com/mailman/listinfo/freeipa-devel</blockquote><br><span><br><br>-- <br><span name="x"></span>Looking to carve out IT costs?<br>www.redhat.com/carveoutcosts/<br><br>Jenny Galipeau <jgalipea@redhat.com><br>Principal Software QA Engineer<br>Red Hat, Inc. Security Engineering<span name="x"></span><br></span></div></body></html>