On Fri, 19 Nov 2010 13:41:09 +0100 Jakub Hrozek <[email protected]> wrote:
> On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote: > > On Thu, 18 Nov 2010 16:23:38 +0100 > > Jakub Hrozek <[email protected]> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > On 11/18/2010 02:24 PM, Simo Sorce wrote: > > > > On Thu, 18 Nov 2010 07:21:04 -0500 > > > > Stephen Gallagher <[email protected]> wrote: > > > > > > > >> Doing the forward septets is easy (1*x..7*x), but the reverse > > > >> septets are more complicated (since they would be > > > >> (y-1*x..y-7*x), where y is the total number of days in the > > > >> month (which also has to account for leap years). > > > >> > > > >> I think it might be a nice enhancement, but I recommend that > > > >> we not include it right now, given the tight release schedule > > > >> for FreeIPA v2. > > > > > > > > As I said before it is a now or never condition. > > > > If you do not put it in now, then when you put it in, old > > > > clients will not understand the rule. And they will have only > > > > one option, always deny access, because they have no way to > > > > understand when it is ok to allow/deny it. > > > > > > > > Simo. > > > > > > > > > > In that case, should we have some version identifier, too? In > > > case we identify some flaw later on and need to change the format > > > once again. > > > > And what should a client do when it finds a version it does not > > understand ? > > > > Simo. > > > > At least log it. If the client finds a HBAC rule it does not > understand it would just error out (which is the better case, what if > the syntax in the new version was the same but semantics not?) Exactly. So as soon as you store a new rule all machines with the older client will start refusing every access ... not a good idea imo. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
