On 18.5.2016 08:25, Stanislav Laznicka wrote: > On 05/17/2016 12:40 PM, Petr Spacek wrote: >> On 13.5.2016 13:50, Stanislav Laznicka wrote: >>> Hello list, >>> >>> We had a discussion today over integrating the Time Rules into the CLI and >>> WebUI and a problem came up with with the current solution. It seems that >>> while having templating handled by CoSTemplates might be nice in terms of >>> easy >>> dereferencing on SSSD side (it's handled by the DS itself), it's not really >>> much possible to pick one string from the multi-valued accesstime attribute >>> of >>> HBAC Rule object and modify it. >> Could you be more specific? >> >> AFAIK LDAP protocol allows this. Where is the problem? >> >> Petr^2 Spacek > I should have added we're talking CLI and WebUI here. > > Imagine you have 5 values of the accesstime attribute, each one is about 10 > lines of iCal string, and want to change one: > > ipa hbacrule-mod-accesstime rule_name --time=???
I see. In DNS plugin we do it this way: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#examples-add-modify-record-cli $ ipa dnsrecord-mod example.com www --a-rec 192.0.2.123 --a-ip-address 192.0.2.1 I would argue that naming of the options is weird so something easier to understand could be made. E.g. $ ipa hbacrule-mod-accesstime rule_name --orig-time=??? --time=??? Petr^2 Spacek >>> We were thinking of a solution discussed way earlier - having our own time >>> rule objects that could be referenced from each HBAC rule. That way, any >>> time >>> rule could be modified easily. As the HBAC rules are cached on the SSSD side >>> periodically using the deref plugin, there should be no problem of >>> inconsistency with the server database. >>> >>> The original reasoning pro and against the proposed solution could be found >>> on >>> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It >>> would >>> be really nice to hear your opinions and ideas that could help us overcome >>> this problem. >>> >>> Thank you, >>> Standa -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code