On Tue, 2011-07-05 at 10:53 -0400, Dmitri Pal wrote: > I disagree with the server side UI changes. > IMO the IPA server should detect the DENY rules at the upgrade step > and > fail the upgrade asking administrator to remove the rules first.
No, upgrades time is the wrong time to ask for complex changes. > Carrying them forward in the UI means that we would allow IPA to have > the rules but it would ignore them creating a security whole. IPA does not do the enforcing so it does not observe/ignore them at all. The client (sssd) does the enforcing, so the only place to handle security issues is there. > Since some admins do not use UI it will be even worse. That's why we are dealing with the problem in the client. The UI is just to warn in advance those admins that stubbornly refuse to read release notes and test their clients. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
