On 6.2.2014 16:20, Martin Kosek wrote:
On 02/06/2014 04:21 PM, Jan Cholasta wrote:
On 6.2.2014 16:04, Martin Kosek wrote:
On 02/06/2014 01:16 PM, Jan Cholasta wrote:
Hi,

the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4158>.

Honza

Adding a whole new update plugin for this little change seems as a
overengineering for me. Why does a simple "remove: sourcehostcategory: all" not
work?

Because there is no simple "dn: ..." to put above it, since it uses
auto-generated ipaUniqueId.

Ah, I see.



Also, I would be OK with even just not adding it in new installation only. It
is a benign attribute which also may not be deprecated in older version (and
replicated) replicas.

If it is not removed, it will still be shown in hbacrule commands' output. Is
it OK to remove sourcehostcategory from hbacrule.default_attributes? I'm not
sure why it was left there when source hosts were deprecated.

Makes sense. I think removing it from default LDIF + from default_attributes
will do the trick.

Martin


Updated patch attached.

--
Jan Cholasta
>From d56b3f8e63bae9db3d13df49d42a4f35a50e67b6 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Thu, 6 Feb 2014 12:33:43 +0100
Subject: [PATCH] Remove sourcehostcategory from the default HBAC rule.

https://fedorahosted.org/freeipa/ticket/4158
---
 install/share/default-hbac.ldif | 1 -
 ipalib/plugins/hbacrule.py      | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
index b7b6ba2..52fd30e 100644
--- a/install/share/default-hbac.ldif
+++ b/install/share/default-hbac.ldif
@@ -7,7 +7,6 @@ cn: allow_all
 accessruletype: allow
 usercategory: all
 hostcategory: all
-sourcehostcategory: all
 servicecategory: all
 ipaenabledflag: TRUE
 description: Allow all users to access any host from any host
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 0f0fef0..99758b2 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -118,7 +118,7 @@ class hbacrule(LDAPObject):
     default_attributes = [
         'cn', 'ipaenabledflag',
         'description', 'usercategory', 'hostcategory',
-        'sourcehostcategory', 'servicecategory', 'ipaenabledflag',
+        'servicecategory', 'ipaenabledflag',
         'memberuser', 'sourcehost', 'memberhost', 'memberservice',
         'memberhostgroup', 'externalhost',
     ]
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to