<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/25/2011 09:46 AM, Dmitri Pal wrote:
<blockquote cite="mid:4E2D73C1.40900@redhat.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
On 07/25/2011 07:59 AM, Alexander Bokovoy wrote:
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">On 22.07.2011 23:10, Alexander Bokovoy wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">So this is a little confusing. I thought --rules limited the rules that
were considered. Maybe I'm misunderstanding it.
</pre>
</blockquote>
<pre wrap="">--validate + --rules gives limitation, --rules alone adds more rules to
the existing test set which is all enabled rules in IPA.
</pre>
</blockquote>
<pre wrap="">I reworked a bit command line interface to avoid confusion like that.
# ipa hbactest --help
Usage: ipa [global-options] hbactest [options]
Options:
-h, --help show this help message and exit
--user=STR User name
--srchost=STR Source host
--host=STR Target host
--service=STR Service
--rules=LIST Rules to test. If not specified, all enabled rules are
tested
--detail Detail rule execution
--all Include all enabled IPA rules into test
Now if you specify --rules, hbactest will only try to simulate login
using these rules. You would need to add --all to force considering all
IPA enabled rules.
</pre>
</blockquote>
<br>
I like the functionality but --all does not sound right, may be it
should be --enabled or something else.<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">When no --rules are specified, simulation is run against all enabled IPA
rules.
--validate got replaced by --detail which simply tries to run simulation
one by one and report results for each rule. You can apply it for any
run, with or without --rules and --all.
</pre>
</blockquote>
<br>
May me --detail should something like --each or --checkeach or
--iterate. The expectation about the term "detail" is a bit
different. The functionality seems OK though.<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">If --rules contains a name of non-existent rule, it is simply ignored.
So if I asked to verify against --rule=foobar where there is no such
rule, Should there be error message for such cases? Right now you'll get
False (access is not granted) and --detail will not show any rules.
</pre>
</blockquote>
<br>
It should be an error IMO. The reason is that you might have
miss-typed something and think you checked the rule that you
miss-typed but it would turn out that you did not. <br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">Now, the only mode left out is batch verification of all disabled rules
for purpose of checking their correctness.</pre>
</blockquote>
<br>
The more I think about it the more I lean towards just having
--disabled to include all disabled rules instead of listing them
explicitly in --rules. It is more a convenience aggregation than
any different in behavior.<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap=""> Suppose we have a switch
--show-invalid that takes all IPA rules and runs a simulation request
against them, reporting the ones that are invalid only. </pre>
</blockquote>
<br>
Invalid in what way? I am not sure we can detect validity of the
rules. The whole point of the tool was to detect whether a real or
test user will be denied or allowed and whether it is expected or
not.<br>
</blockquote>
<br>
Catching up with the thread I see that there is a discussion about
the invalid rules i.e. incomplete rules. I thought that it is nearly
impossible to create an "invalid" rule this way as the omitted parts
have the default interpretation if the value is missing. Those
should be clearly documented BTW. But I remember that the original
designs touched on this subject. <br>
I looked here:
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/DS_Design_Summary#HBAC_object">http://www.freeipa.org/page/DS_Design_Summary#HBAC_object</a><br>
It is somewhat defined somewhat not. Let us clear what is the
meaning of empty users attribute. Is it "any" possible user, "rule
is ignored" or error. IMO it is any possible user. Same with host or
service. But I am open for argument.<br>
<br>
<blockquote cite="mid:4E2D73C1.40900@redhat.com" type="cite"> <br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">Such a request
could be done without any specific (user, source host, target host,
service) tuple because we are only interested in HBAC_EVAL_ERROR return
</pre>
</blockquote>
<br>
I am not sure I understand. What kind of condition would return
such an error?<br>
<br>
<blockquote cite="mid:4E2D5AB9.4010104@redhat.com" type="cite">
<pre wrap="">code which is independent of input parameters. Unfortunately all we can
tell in this case is that rule is incorrect, without much details.
Probably some improvement for libipa_hbac is needed, like converting
request result into a bit field and returning detailed cause of error
per tuple element.
Current version is attached. It still lacks unit tests.
</pre>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-devel@redhat.com">Freeipa-devel@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-devel">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>