On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote:
> On Thu, 18 Nov 2010 16:23:38 +0100
> Jakub Hrozek <jhro...@redhat.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > On 11/18/2010 02:24 PM, Simo Sorce wrote:
> > > On Thu, 18 Nov 2010 07:21:04 -0500
> > > Stephen Gallagher <sgall...@redhat.com> wrote:
> > >
> > >> Doing the forward septets is easy (1*x..7*x), but the reverse
> > >> septets are more complicated (since they would be (y-1*x..y-7*x),
> > >> where y is the total number of days in the month (which also has
> > >> to account for leap years).
> > >>
> > >> I think it might be a nice enhancement, but I recommend that we not
> > >> include it right now, given the tight release schedule for FreeIPA
> > >> v2.
> > >
> > > As I said before it is a now or never condition.
> > > If you do not put it in now, then when you put it in, old clients
> > > will not understand the rule. And they will have only one option,
> > > always deny access, because they have no way to understand when it
> > > is ok to allow/deny it.
> > >
> > > Simo.
> > >
> > In that case, should we have some version identifier, too? In case we
> > identify some flaw later on and need to change the format once again.
> And what should a client do when it finds a version it does not
> understand ?
At least log it. If the client finds a HBAC rule it does not understand
it would just error out (which is the better case, what if the syntax
in the new version was the same but semantics not?)
Freeipa-devel mailing list