When multiple HBAC rules are defined, IPA default limits to retrieve objects may limit the scope of HBAC testing. To allow full range of rules to be tested support for --sizelimit option is added.
In addition, when --rules option is specified, make sure only those rules are retrieved regardless total number of rules defined. This should also speed up HBAC test performance for real life scenarios when few new rules are added to large collection of rules. https://fedorahosted.org/freeipa/ticket/2230 -- / Alexander Bokovoy
>From 44261e7c9263cc6d4e1ca8132750ff29228dfa82 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <[email protected]> Date: Tue, 10 Jan 2012 11:15:26 +0200 Subject: [PATCH] Allow hbactest to work with HBAC rules exceeding default IPA limits When multiple HBAC rules are defined, IPA default limits to retrieve objects may limit the scope of HBAC testing. To allow full range of rules to be tested support for --sizelimit option is added. In addition, when --rules option is specified, make sure only those rules are retrieved regardless total number of rules defined. This should also speed up HBAC test performance for real life scenarios when few new rules are added to large collection of rules. https://fedorahosted.org/freeipa/ticket/2230 --- API.txt | 3 ++- ipalib/plugins/hbactest.py | 28 +++++++++++++++++++++++++--- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 493d5a3ff235e2a6f2599896114365af54086d16..60e6316e1c7f5de3adaeeecd3896fe8a422c4c38 100644 --- a/API.txt +++ b/API.txt @@ -1455,7 +1455,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', <type 'unicode'>, None) command: hbactest -args: 0,8,6 +args: 0,9,6 option: Str('user', cli_name='user', primary_key=True) option: Str('sourcehost?', cli_name='srchost') option: Str('targethost', cli_name='host') @@ -1464,6 +1464,7 @@ option: Str('rules*', cli_name='rules', csv=True) option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False) option: Flag('enabled?', autofill=True, cli_name='enabled', default=False) option: Flag('disabled?', autofill=True, cli_name='disabled', default=False) +option: Int('sizelimit?', autofill=False, minvalue=0) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('warning', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) output: Output('matched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index f1b608d21a69bbd57577455157d8e78e11a54733..92b7145a3fca717b4699749c2ec2b88ae3647cd5 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -18,7 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api, errors, output -from ipalib import Command, Str, Flag +from ipalib import Command, Str, Flag, Int from types import NoneType from ipalib.cli import to_cli from ipalib import _, ngettext @@ -40,7 +40,7 @@ having access to the production environment. ipa hbactest --user= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] - [--srchost= ] + [--srchost= ] [--sizelimit= ] --user, --host, and --service are mandatory, others are optional. @@ -57,6 +57,8 @@ having access to the production environment. all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. If --srchost is specified, it will be ignored. It is left because of compatibility reasons only. @@ -208,6 +210,13 @@ class hbactest(Command): cli_name='disabled', label=_('Include all disabled IPA rules into test'), ), + Int('sizelimit?', + label=_('Size Limit'), + doc=_('Maximum number of rules to process when no --rules is specified'), + flags=['no_display'], + minvalue=0, + autofill=False, + ), ) def canonicalize(self, host): @@ -224,7 +233,6 @@ class hbactest(Command): # 2. Required options are (user, source host, target host, service) # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output rules = [] - hbacset = self.api.Command.hbacrule_find()['result'] # Use all enabled IPA rules by default all_enabled = True @@ -238,6 +246,10 @@ class hbactest(Command): all_enabled = False all_disabled = False + sizelimit = None + if 'sizelimit' in options: + sizelimit = int(options['sizelimit']) + # Check if --disabled is specified, include all disabled IPA rules if options['disabled']: all_disabled = True @@ -247,6 +259,16 @@ class hbactest(Command): if options['enabled']: all_enabled = True + hbacset = [] + if len(testrules) == 0: + hbacset = self.api.Command.hbacrule_find(sizelimit=sizelimit)['result'] + else: + for rule in testrules: + try: + hbacset.append(self.api.Command.hbacrule_show(rule)['result']) + except: + pass + # We have some rules, import them # --enabled will import all enabled rules (default) # --disabled will import all disabled rules -- 1.7.8
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
