On 25.07.2011 17:06, Jenny Galipeau wrote: > I like the functionality but --all does not sound right, may be it > should be --enabled or something else. > > how about : > --disabled > --all (both enabled and disabled) Checking against all enabled and disabled makes very little sense. Rules might be disabled for different reasons -- a rule might have been just created, a rule is temporary disabled, a rule is disabled permanently but not yet slated for removal due to SOX compliance work haven't been done, to name a few. A state of IPA database does not always reflect exact state of organizational madness or sanity...
I would rather separate: - checking against all enabled IPA rules (default operation) - checking against specific IPA rules (--rules) - checking against specific IPA rules + standard check (all enabled IPA rules) - checking against all disabled IPA rules. These all are different cases. These cases would be covered by following option combination of [--enabled] [--disabled] and [--rules]: 1. No option specified. Default case, run simulation against all enabled IPA rules. 2. --rules specified. Run simulation against only those rules in --rules. 3. --rules and --enabled specified. Run simulation against all enabled IPA rules _and_ additionally enable those in --rules. This is a case of testing new HBAC rules before going to production. 4. --rules and --disabled specified. Run simulation against all disabled IPA rules and those in --rules. Could only make sense for cases of migration where all previous rules are switched off and then enabled one-by-one. 5. --disabled and --enabled specified together. Run simulation against all IPA rules, regardless of their state. Sort of similar to (4). 6. --disabled and --enabled, and --rules specified together. A bit too much as --disabled and --enabled together would cover all rules already and there is no space left for --rules (all rules you could mention in --rules are already enabled for simulation). > I too am confused with --detail. What does "Detail rule execution" > mean? I do not like --iterate, this is a developer term and not > specific to what the user should expect as a behavior. What we check with hbactest is whether user would be able to access specified service on the target host when coming from a source host. In order to grant such access, SSSD checks this combination of conditions against all enabled IPA rules (HBAC rules) and gives a single answer: yes/no, grant access or deny it. During test simulation of such access granting it is important to understand which rule has caused a problem, be it excessive access grant or premature deny. '--detail' is an option which allows to see how simulation went, which rules granted access and which denied. Conceptually it should have been --verbose but verbose is already global option taken by IPA framework. > +1 error - this would match the behavior of all other CLIs. Ok. -- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
