On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote: > On Thu, 18 Nov 2010 16:23:38 +0100 > Jakub Hrozek <jhro...@redhat.com> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 11/18/2010 02:24 PM, Simo Sorce wrote: > > > On Thu, 18 Nov 2010 07:21:04 -0500 > > > Stephen Gallagher <sgall...@redhat.com> wrote: > > > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > > >> septets are more complicated (since they would be (y-1*x..y-7*x), > > >> where y is the total number of days in the month (which also has > > >> to account for leap years). > > >> > > >> I think it might be a nice enhancement, but I recommend that we not > > >> include it right now, given the tight release schedule for FreeIPA > > >> v2. > > > > > > As I said before it is a now or never condition. > > > If you do not put it in now, then when you put it in, old clients > > > will not understand the rule. And they will have only one option, > > > always deny access, because they have no way to understand when it > > > is ok to allow/deny it. > > > > > > Simo. > > > > > > > In that case, should we have some version identifier, too? In case we > > identify some flaw later on and need to change the format once again. > > And what should a client do when it finds a version it does not > understand ? > > Simo. >
At least log it. If the client finds a HBAC rule it does not understand it would just error out (which is the better case, what if the syntax in the new version was the same but semantics not?) _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel