Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker

On 03/11/2016 03:42 PM, Filip Skola wrote: - Original Message - On 01/28/2016 10:45 AM, Filip Skola wrote: The same as with patch 0002: * Module ipatests.test_xmlrpc.tracker.hostgroup_plugin W:142,26: Calling a dict.iter*() method (dict-iter-method) Please use dict.items

Re: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin

On 03/07/2016 02:53 PM, Filip Škola wrote: Sorry, forgot to cc you, Milan. F. On Tue, 22 Dec 2015 05:57:50 -0500 (EST) Filip Skola wrote: And also sending refactored hostgroup plugin test. F Sorry for long delay. ACK. -- Milan Kubik -- Manage your subscription for the

Re: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty

On 03/22/2016 12:28 PM, Martin Babinsky wrote: On 03/16/2016 02:17 PM, Martin Babinsky wrote: On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: On 15.3.2016 22:22, Nathaniel McCallum wrote: On Tue, 2016-03-15 at 17:54 +0100, Martin

Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer

On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I would also prefer if the file was renamed to

Re: [Freeipa-devel] URI in HBAC - design page

On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: ... > You present two solutions to the problem -- deny rules, and regular > expressions. For the record, HBAC deny rules is something we will want to avoid. Deny HBAC rules were

Re: [Freeipa-devel] URI in HBAC - design page

On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote: > > Further to Rob's points, what about including the method being used > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an > important aspect to include. > > How deep does this rabbit-hole go? :) The work, while

Re: [Freeipa-devel] URI in HBAC - design page

On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: > On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > ... > > You present two solutions to the problem -- deny rules, and regular > > expressions. > > For the record,

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it easy to keep track. The document says There is a

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote: > > I think case sensitivity might be pretty important too, though might be best > left as an exercise for the user. For protocol and hostname it likely needs to be case insensitive. for the rest of the URL there probably should be

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design In the document, you say In all of them [ approaches ], I use only the part of URI after hostname as hostname and

Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer

On 24.03.2016 13:55, Jan Cholasta wrote: On 18.3.2016 23:27, Timo Aaltonen wrote: On 17.03.2016 18:36, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 would be nicer if ipa-httpd.conf was a template with the current hardcoded values replaced with platform paths.. +1, I

Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer

Jan Cholasta wrote: On 18.3.2016 15:12, Martin Babinsky wrote: On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd

Re: [Freeipa-devel] URI in HBAC - design page

On 03/24/2016 01:24 PM, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: >> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: >>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: >> ... >>> You present two solutions to the problem -- deny rules, and

Re: [Freeipa-devel] URI in HBAC - design page

On 03/24/2016 05:43 AM, Jan Pazdziora wrote: On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it easy to keep

Re: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty

On 24.3.2016 14:13, Martin Babinsky wrote: On 03/24/2016 01:47 PM, Martin Babinsky wrote: On 03/22/2016 12:28 PM, Martin Babinsky wrote: On 03/16/2016 02:17 PM, Martin Babinsky wrote: On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: On

Re: [Freeipa-devel] URI in HBAC - design page

On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote: > > I agree it is complicated. While Deny HBAC rules is something we do not want, > allowing exclusive rules for an HBAC URI rule may be acceptable. This would be > the same approach we chose with Exclusive Time rules in Time-Based

Re: [Freeipa-devel] URI in HBAC - design page

On 24.3.2016 14:08, Martin Kosek wrote: > On 03/24/2016 01:24 PM, Jan Pazdziora wrote: >> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: >>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote: On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: >>> ... You present

[Freeipa-devel] [PATCH] 956 replicainstall: log ACI and LDAP errors in promotion check

to enable debugging of such errors. E.g.: https://fedorahosted.org/freeipa/ticket/5741 -- Petr Vobornik From 956f5171a3b51544103672feaffef752ee94dc42 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Thu, 24 Mar 2016 15:24:23 +0100 Subject: [PATCH] replicainstall: log ACI

Re: [Freeipa-devel] URI in HBAC - design page

On 24.3.2016 11:39, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote: >> >> I think case sensitivity might be pretty important too, though might be best >> left as an exercise for the user. > > For protocol and hostname it likely needs to be case insensitive.

Re: [Freeipa-devel] [PATCH 0441] Configure httpd service from installer

On 18.3.2016 15:12, Martin Babinsky wrote: On 03/17/2016 05:36 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5681 Patch attached. Hi Martin, Nitpick attack: Please fix the commit message: "File httpd.service was created by RPM, what causes that httpd service may", should

Re: [Freeipa-devel] URI in HBAC - design page

Adam Young wrote: On 03/24/2016 05:43 AM, Jan Pazdziora wrote: On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: I created a design page for the feature: http://www.freeipa.org/page/URI-based-HBAC-design I try to put separate areas of concerns into separate emails to make it

Re: [Freeipa-devel] [PATCH 0005] Refactor test_nesting, create HostGroupTracker

On 24.03.2016 11:59, Milan Kubík wrote: On 03/11/2016 03:42 PM, Filip Skola wrote: - Original Message - On 01/28/2016 10:45 AM, Filip Skola wrote: The same as with patch 0002: * Module ipatests.test_xmlrpc.tracker.hostgroup_plugin W:142,26: Calling a dict.iter*() method

Re: [Freeipa-devel] [PATCH 0006] Refactor test_hostgroup_plugin

On 24.03.2016 11:59, Milan Kubík wrote: On 03/07/2016 02:53 PM, Filip Škola wrote: Sorry, forgot to cc you, Milan. F. On Tue, 22 Dec 2015 05:57:50 -0500 (EST) Filip Skola wrote: And also sending refactored hostgroup plugin test. F Sorry for long delay. ACK. Pushed

Re: [Freeipa-devel] [PATCH 0139] otptoken-add: improve the robustness of QR code printing to tty

On 03/24/2016 01:47 PM, Martin Babinsky wrote: On 03/22/2016 12:28 PM, Martin Babinsky wrote: On 03/16/2016 02:17 PM, Martin Babinsky wrote: On 03/16/2016 01:35 PM, Nathaniel McCallum wrote: On Wed, 2016-03-16 at 07:25 +0100, Jan Cholasta wrote: On 15.3.2016 22:22, Nathaniel McCallum wrote:

Re: [Freeipa-devel] URI in HBAC - design page

On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote: > > I really do not like 'excludes'... Was an approach with longest prefix match > considered as an option? I do not see it in the design page. > > E.g. imagine we have rules: > / -> allow anyone > /users -> allow all authenticated

Re: [Freeipa-devel] [PATCH 0143-0144] different errors/warnings for different LDAP limit type exceeded

On 03/22/2016 04:28 PM, Rob Crittenden wrote: Martin Babinsky wrote: On 03/21/2016 12:25 PM, Jan Cholasta wrote: On 21.3.2016 10:17, Petr Spacek wrote: On 18.3.2016 13:49, Rob Crittenden wrote: Martin Babinsky wrote: These patches implement behavior agreed upon during discussion of

Re: [Freeipa-devel] [TEST][Patch-0030]Next part of replica promotion tests

On 03/21/2016 01:51 PM, Oleg Fayans wrote: Hi Oleg, I have a few comments: 1.) please make the commit message more clear, briefly describe what kind of test cases were added to the suite and maybe add a link to the test plan. 2.) I see negative test scenarios for attempting to issue

Re: [Freeipa-devel] [PATCH 0024] ipa-replica-manage: added --suffix option for certain commands

On 03/23/2016 08:13 PM, Martin Basti wrote: [...] Can you please update design http://www.freeipa.org/page/V4/Manage_replication_topology_4_4 (mainly the --suffix option)? Also there are missing clean-ruv and list-ruv commands in design, and fix usage at the bottom. 1) I don't understand this

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote: > On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote: > >I created a design page for the feature: > > > >http://www.freeipa.org/page/URI-based-HBAC-design > > 1. The design page doesn't mention if mod_authnz_pam will be extended or >

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design Could you please elaborate on unauthenticated accesses? Many web applications have completely public parts, and then authenticated

[Freeipa-devel] Announcing FreeIPA 4.3.1

The FreeIPA team would like to announce FreeIPA v4.3.1 bug fixing release! It can be downloaded from http://www.freeipa.org/page/Downloads. The builds are available for Fedora 24 and rawhide. Builds for Fedora 23 are available in the official COPR

Re: [Freeipa-devel] URI in HBAC - design page

On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design Technicality update: - I changed the name and moved it to consistent location: http://www.freeipa.org/page/V4/URI-based_HBAC - I removed

Re: [Freeipa-devel] URI in HBAC - design page

On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design The way most web applications (that I see as the first use for this feature) are structured, they have more openly accessible areas

Re: [Freeipa-devel] URI in HBAC - design page

On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote: > > > > Further to Rob's points, what about including the method being used > > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an > > important aspect