[Freeipa-devel] [RFE] Remove source hosts from HBAC

Martin Kosek mkosek at redhat.com
Mon Apr 8 13:26:56 UTC 2013 

On 04/08/2013 03:03 PM, Rob Crittenden wrote:
> Petr Vobornik wrote:
>> On 04/05/2013 07:59 PM, Ana Krivokapic wrote:
>>> Hello list,
>>>
>>> I have been thinking about the possible implementation for a solution of
>>> ticket https://fedorahosted.org/freeipa/ticket/3528. There are several
>>> options:
>>>
>>> 1. Completely remove the commands and command options related to source
>>> hosts in HBAC. This might not be a good idea as it could cause problems
>>> for older clients.
>>>
>>> 2. Hide these commands/options from the web UI, but leave them in CLI.
>>> This would keep the API intact, but I don't like the idea of introducing
>>> inconsistencies between CLI and web UI.
>>>
>>> 3. Do not remove anything, but issue deprecation warnings. The user will
>>> see a warning when using these commands/options, but everything will
>>> still work.
>>>
>>> 4. Do not remove anything, but raise exceptions. This would effectively
>>> prevent the user from using these commands/options, as the exception
>>> will break the execution of a command.
>>>
>>> In any case, any reference to source hosts should be removed from help
>>> and documentation.
>>>
>>> I am leaning towards options 3 or 4.
>>>
>>> Thoughts, comments and ideas are welcome.
>>>
>>
>> IMHO the main question is whether we want to deprecate it or remove it.
>> SSSD is deprecating it so I would go that way too.
>>
>> #1 and #4 are basically a removal, #4 a bad one.
>> #2 is removal from Web UI perspective.
>>
>> I would do #3 with some changes. In both Web UI and CLI there should be
>> clear label that the section/options are deprecated. We may introduce a
>> deprecated flag. With this change we don't have to show the warning. But
>> in CLI we might because user didn't had to read help beforehand.
> 
> It has been deprecated for quite a while now. This was raised because we let
> users enter this data via the UI and CLI and it does absolutely nothing which
> is terribly misleading.
> 
> I think that it should be removed from the UI completely. I'm torn with the
> CLI, though leaning on hiding the options.
> 
> It might be worthwhile to also raise an exception if anyone tries to use it via
> a script or otherwise.
> 
> rob
> 

+1. We could hide it (so that it is not seen in CLI) and raise an exception if
some old script tries to use it.

I did this for example for no longer supported DNS records in dnsrecord-add
(simulated with setattr):

# ipa dnsrecord-add example.com apl --setattr=aplrecord="foo"
ipa: ERROR: invalid 'aplrecord': DNS RR type "APL" is not supported by
bind-dyndb-ldap plugin

The param simply has "no_option" flag and its validator always fails. We should
remove the parameter altogether at some point, maybe next major version?

Martin

More information about the Freeipa-devel mailing list