On 05/18/2016 01:47 PM, Stanislav Laznicka wrote:
We offline-discussed this with Honza. There should be a new command `ipa
hbacrule-replace-accesstime rule_name --orig-time=icalstr1
--new-time=icalstr2`. As it would be derived from LDAPQuery, the
atomicity is kept. This may not be very nice for CLI but should work
well for WebUI. Both icalstr1 and icalstr2 need to be encoded as
newlines that appear so often in iCalendar strings would only make a
On 05/18/2016 01:15 PM, Stanislav Laznicka wrote:
On 05/18/2016 01:00 PM, Petr Spacek wrote:
Pretty good point I was about to raise myself. Also, what happens
when removal succeeds but addition fails for some reason? The
operation is not atomic anymore.
On 18.5.2016 12:52, Jan Cholasta wrote:
On 18.5.2016 12:43, Stanislav Laznicka wrote:
On 05/18/2016 12:38 PM, Jan Cholasta wrote:
On 18.5.2016 12:23, Petr Spacek wrote:
NACK, the dns plugin should not be used as an example for
On 18.5.2016 08:25, Stanislav Laznicka wrote:
On 05/17/2016 12:40 PM, Petr Spacek wrote:
On 13.5.2016 13:50, Stanislav Laznicka wrote:
We had a discussion today over integrating the Time Rules
WebUI and a problem came up with with the current solution. It
while having templating handled by CoSTemplates might be nice in
terms of easy
dereferencing on SSSD side (it's handled by the DS itself), it's
much possible to pick one string from the multi-valued
HBAC Rule object and modify it.
Could you be more specific?
AFAIK LDAP protocol allows this. Where is the problem?
I should have added we're talking CLI and WebUI here.
Imagine you have 5 values of the accesstime attribute, each one is
lines of iCal string, and want to change one:
ipa hbacrule-mod-accesstime rule_name --time=???
I see. In DNS plugin we do it this way:
$ ipa dnsrecord-mod example.com www --a-rec 192.0.2.123
I would argue that naming of the options is weird so something
understand could be made. E.g.
$ ipa hbacrule-mod-accesstime rule_name --orig-time=??? --time=???
it breaks almost every convention in the framework.
Good point :-)
The question here is if the intermediate state without defined time
Modification of an attribute value is exactly that - the old value
removed and the new value gets added. How it will look like in the
web UI is a
Also, typical iCalendar string is not much suitable for this approach
(see http://tools.ietf.org/html/rfc5545#section-4 for examples). Your
proposal is a way, of course, but not much user-friendly here.
Removing and adding of particular accesstime values should be
a pair of commands, "hbacrule-add-accesstime rule_name
What about modifications, thought? If not for CLI, you will still
way to modify a more complex time rule in the WebUI (you do not
remove a complex rule just to click through its creation all again
"hbacrule-remove-accesstime rule_name accesstime".
completely different thing.
no transactions!) is acceptable or not.
Does it mean that the time restriction will removed OR that access
always denied because the rule is incomplete?
Example of use:
ipa hbacrule-replace-accesstime rule_name
to add Tuesdays to the timespan defined by the rule.
Currently, if the time is not set it means users are allowed in. That
was there because of the backward compatibility although that could
now be bent to our wills as it should be solved differently (see
latest post of Lukas Hellebrandt on URI in HBAC and his ipahbacruleuri).
Allow on empty accesstime behaviour should be kept.
We were thinking of a solution discussed way earlier - having
rule objects that could be referenced from each HBAC rule. That
way, any time
rule could be modified easily. As the HBAC rules are cached
periodically using the deref plugin, there should be no
inconsistency with the server database.
The original reasoning pro and against the proposed solution
be found on
be really nice to hear your opinions and ideas that could
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code