I have made some important changes to the design document of this
proposed feature. The difference is mainly changing regular expression
interpretation of URI to longest-prefix matching.

This change was done mainly because of upstream's reactions. I value any
further comments and particularly discussion about the two topics
mentioned at the end of the design page:

* For backwards compatibility, lack of URI in request means any URI is
matched (as described in the design document). Is it a good idea? Any
other solution?

* How about multiple URI's in one HBAC rule? Is it a good idea? How to
interpret combinations of host+scheme+port (one field) and URI paths
(another field) in that case?

Lukas Hellebrandt
Associate Quality Engineer

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA:

Reply via email to