Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote:
On Fri, 18 Apr 2014, Petr Viktorin wrote:
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from
default attrs
These attributes contain secrets for the trusts and should not be returned
by default.
---
ipalib/plugins/trust.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -306,12 +306,11 @@ class trust(LDAPObject):
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
-'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
'ipanttrustpartner',
-'ipantauthtrustoutgoing', 'ipanttrustauthincoming',
'ipanttrustforesttrustinfo',
+'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
+'ipanttrustpartner', 'ipanttrustforesttrustinfo',
'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
search_display_attributes = ['cn', 'ipantflatname',
- 'ipanttrusteddomainsid', 'ipanttrusttype',
- 'ipantsidblacklistincoming',
'ipantsidblacklistoutgoing' ]
+ 'ipanttrusteddomainsid', 'ipanttrusttype']
label = _('Trusts')
label_singular = _('Trust')
ACK.
This all looks fine, I only have one question -- SID blacklists now
became invisible by default to anyone. Even admins can't see them other
than with --all. I'm not sure they are really that important to deny
access to, but it makes sense to reduce their visibility to normal
users.
I think we should differentiate 2 aspects of trust plugin patches:
1) SID blacklist access: with current patches, only admin, trust admins and
people with appropriate permission/privilege will have access to SID
blacklists. Normal users will only see basic trust attributes (see patch
529.2). If this is not OK, and everyone should be able to see them, please yell.
2) SID blacklist visibility: with proposed patches, SID blacklist will be
hidden unless --all option is passed. I think this is rather a UX question than
functional question. Whether SID blacklist should be printed with each
trust-find or trust-show.
I would personally not show them to make the display simpler and would remove
search_display_attributes entirely (or make blacklist shown in trust-show, but
not with trust-find) but I do not insist.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Mon, 28 Apr 2014, Martin Kosek wrote:
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote:
On Fri, 18 Apr 2014, Petr Viktorin wrote:
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from
default attrs
These attributes contain secrets for the trusts and should not be returned
by default.
---
ipalib/plugins/trust.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -306,12 +306,11 @@ class trust(LDAPObject):
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
-'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
'ipanttrustpartner',
-'ipantauthtrustoutgoing', 'ipanttrustauthincoming',
'ipanttrustforesttrustinfo',
+'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
+'ipanttrustpartner', 'ipanttrustforesttrustinfo',
'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
search_display_attributes = ['cn', 'ipantflatname',
- 'ipanttrusteddomainsid', 'ipanttrusttype',
- 'ipantsidblacklistincoming',
'ipantsidblacklistoutgoing' ]
+ 'ipanttrusteddomainsid', 'ipanttrusttype']
label = _('Trusts')
label_singular = _('Trust')
ACK.
This all looks fine, I only have one question -- SID blacklists now
became invisible by default to anyone. Even admins can't see them other
than with --all. I'm not sure they are really that important to deny
access to, but it makes sense to reduce their visibility to normal
users.
I think we should differentiate 2 aspects of trust plugin patches:
1) SID blacklist access: with current patches, only admin, trust admins and
people with appropriate permission/privilege will have access to SID
blacklists. Normal users will only see basic trust attributes (see patch
529.2). If this is not OK, and everyone should be able to see them, please yell.
I'm OK with this state.
2) SID blacklist visibility: with proposed patches, SID blacklist will be
hidden unless --all option is passed. I think this is rather a UX question than
functional question. Whether SID blacklist should be printed with each
trust-find or trust-show.
I would personally not show them to make the display simpler and would remove
search_display_attributes entirely (or make blacklist shown in trust-show, but
not with trust-find) but I do not insist.
The only potential issue in not showing them is that this breaks
whatever QE tests expected in past. I.e. if they were expecting SID
blacklist to be shown, that would be broken. To my knowledge there is no
real dependency on such data in the QE scripts yet.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 12:38 PM, Alexander Bokovoy wrote:
On Mon, 28 Apr 2014, Martin Kosek wrote:
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote:
On Fri, 18 Apr 2014, Petr Viktorin wrote:
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from
default attrs
These attributes contain secrets for the trusts and should not be returned
by default.
---
ipalib/plugins/trust.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -306,12 +306,11 @@ class trust(LDAPObject):
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
-'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
'ipanttrustpartner',
-'ipantauthtrustoutgoing', 'ipanttrustauthincoming',
'ipanttrustforesttrustinfo',
+'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
+'ipanttrustpartner', 'ipanttrustforesttrustinfo',
'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
search_display_attributes = ['cn', 'ipantflatname',
- 'ipanttrusteddomainsid',
'ipanttrusttype',
- 'ipantsidblacklistincoming',
'ipantsidblacklistoutgoing' ]
+ 'ipanttrusteddomainsid',
'ipanttrusttype']
label = _('Trusts')
label_singular = _('Trust')
ACK.
This all looks fine, I only have one question -- SID blacklists now
became invisible by default to anyone. Even admins can't see them other
than with --all. I'm not sure they are really that important to deny
access to, but it makes sense to reduce their visibility to normal
users.
I think we should differentiate 2 aspects of trust plugin patches:
1) SID blacklist access: with current patches, only admin, trust admins and
people with appropriate permission/privilege will have access to SID
blacklists. Normal users will only see basic trust attributes (see patch
529.2). If this is not OK, and everyone should be able to see them, please
yell.
I'm OK with this state.
2) SID blacklist visibility: with proposed patches, SID blacklist will be
hidden unless --all option is passed. I think this is rather a UX question
than
functional question. Whether SID blacklist should be printed with each
trust-find or trust-show.
I would personally not show them to make the display simpler and would remove
search_display_attributes entirely (or make blacklist shown in trust-show,
but
not with trust-find) but I do not insist.
The only potential issue in not showing them is that this breaks
whatever QE tests expected in past. I.e. if they were expecting SID
blacklist to be shown, that would be broken. To my knowledge there is no
real dependency on such data in the QE scripts yet.
I would personally drive FreeIPA development by what we see as the right
behavior, not by state of a potentially old QE scripts. Tests should reflect
such changes in the code and adhere to them, not vice versa, IMO.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/28/2014 11:14 AM, Alexander Bokovoy wrote:
On Fri, 18 Apr 2014, Petr Viktorin wrote:
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing}
from
default attrs
These attributes contain secrets for the trusts and should not be
returned
by default.
---
ipalib/plugins/trust.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index
f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b
100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -306,12 +306,11 @@ class trust(LDAPObject):
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
-'ipanttrusttype', 'ipanttrustattributes',
'ipanttrustdirection', 'ipanttrustpartner',
-'ipantauthtrustoutgoing', 'ipanttrustauthincoming',
'ipanttrustforesttrustinfo',
+'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
+'ipanttrustpartner', 'ipanttrustforesttrustinfo',
'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
search_display_attributes = ['cn', 'ipantflatname',
- 'ipanttrusteddomainsid',
'ipanttrusttype',
- 'ipantsidblacklistincoming',
'ipantsidblacklistoutgoing' ]
+ 'ipanttrusteddomainsid',
'ipanttrusttype']
label = _('Trusts')
label_singular = _('Trust')
ACK.
Thanks, pushed to master: e31688909cbc5f7ab6c8d03bb28786a2dd29efe4
This all looks fine, I only have one question -- SID blacklists now
became invisible by default to anyone. Even admins can't see them other
than with --all. I'm not sure they are really that important to deny
access to, but it makes sense to reduce their visibility to normal
users.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/18/2014 03:40 PM, Martin Kosek wrote:
On 04/18/2014 01:55 PM, Petr Viktorin wrote:
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I
do not
think you want it displayed on your terminal by default - even if you
have a
right to display it.
Yep, should not be returned by default to any command line utility.
Agreed. I wanted to remove it too the other day but forgot to file a
ticket.
I see.
Here is a patch to remove them.
Why did you remove SID blacklists from search_display_attributes? Is this what
we want?
Oops, a mistake on my part.
It changes trust-find behavior from:
# ipa trust-find
---
1 trust matched
---
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
Trust type: Active Directory domain
Number of entries returned 1
to
# ipa trust-find
---
1 trust matched
---
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
Trust type: Active Directory domain
Number of entries returned 1
I am not saying it is necessarily a bad thing to do. It IMO actually makes find
output consistent with trust-show and better to read.
I would personally remove search_display_attributes all together since we are
poking in this part and let trust return default attributes in the trust-find
command.
Martin
Alexander, would you be okay with that?
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I
do not
think you want it displayed on your terminal by default - even if you
have a
right to display it.
Yep, should not be returned by default to any command line utility.
Agreed. I wanted to remove it too the other day but forgot to file a
ticket.
I see.
Here is a patch to remove them.
--
Petr³
From 00756cf2c9682b32dba3388e07dda3fad916e284 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Thu, 17 Apr 2014 19:06:52 +0200
Subject: [PATCH] trust plugin: Remove ipatrustauth{incoming,outgoing} from
default attrs
These attributes contain secrets for the trusts and should not be returned
by default.
---
ipalib/plugins/trust.py | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index f57cf7d891928903fdbee67697b96db4ad2679b7..8fff1cae306559fb42209cbd1aaabcbd9046a27b 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -306,12 +306,11 @@ class trust(LDAPObject):
object_name_plural = _('trusts')
object_class = ['ipaNTTrustedDomain']
default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid',
-'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner',
-'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo',
+'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection',
+'ipanttrustpartner', 'ipanttrustforesttrustinfo',
'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ]
search_display_attributes = ['cn', 'ipantflatname',
- 'ipanttrusteddomainsid', 'ipanttrusttype',
- 'ipantsidblacklistincoming', 'ipantsidblacklistoutgoing' ]
+ 'ipanttrusteddomainsid', 'ipanttrusttype']
label = _('Trusts')
label_singular = _('Trust')
--
1.9.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/18/2014 01:55 PM, Petr Viktorin wrote:
On 04/17/2014 10:12 PM, Alexander Bokovoy wrote:
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a
fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I
do not
think you want it displayed on your terminal by default - even if you
have a
right to display it.
Yep, should not be returned by default to any command line utility.
Agreed. I wanted to remove it too the other day but forgot to file a
ticket.
I see.
Here is a patch to remove them.
Why did you remove SID blacklists from search_display_attributes? Is this what
we want?
It changes trust-find behavior from:
# ipa trust-find
---
1 trust matched
---
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4,
S-1-5-9, S-1-5-8, S-1-5-17, S-1-5-16, S-1-5-15,
S-1-5-14, S-1-5-13, S-1-5-12,
S-1-5-11, S-1-5-10, S-1-3, S-1-2, S-1-1, S-1-0,
S-1-5-19, S-1-5-18
Trust type: Active Directory domain
Number of entries returned 1
to
# ipa trust-find
---
1 trust matched
---
Realm name: tbad.example.com
Domain NetBIOS name: TBAD
Domain Security Identifier: S-1-5-21-2997650941-1802118864-3094776726
Trust type: Active Directory domain
Number of entries returned 1
I am not saying it is necessarily a bad thing to do. It IMO actually makes find
output consistent with trust-show and better to read.
I would personally remove search_display_attributes all together since we are
poking in this part and let trust return default attributes in the trust-find
command.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
Hello, While working on the trust permissions I found a typo in the 'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix. -- Petr³ From ef98055a524dffbe98098def896f40592a3fdac4 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Thu, 17 Apr 2014 19:06:52 +0200 Subject: [PATCH] trust plugin: Fix typo in attribute name --- ipalib/plugins/trust.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index f57cf7d891928903fdbee67697b96db4ad2679b7..428d6463de092f378458f837fe7ea9ad002a4480 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -307,7 +307,7 @@ class trust(LDAPObject): object_class = ['ipaNTTrustedDomain'] default_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', 'ipanttrustattributes', 'ipanttrustdirection', 'ipanttrustpartner', -'ipantauthtrustoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', +'ipanttrustauthoutgoing', 'ipanttrustauthincoming', 'ipanttrustforesttrustinfo', 'ipanttrustposixoffset', 'ipantsupportedencryptiontypes' ] search_display_attributes = ['cn', 'ipantflatname', 'ipanttrusteddomainsid', 'ipanttrusttype', -- 1.9.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I do not
think you want it displayed on your terminal by default - even if you have a
right to display it.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I do not
think you want it displayed on your terminal by default - even if you have a
right to display it.
Yep, should not be returned by default to any command line utility.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 530 trust plugin: Fix typo in attribute name
On Thu, 17 Apr 2014, Simo Sorce wrote:
On Thu, 2014-04-17 at 20:30 +0200, Martin Kosek wrote:
On 04/17/2014 07:11 PM, Petr Viktorin wrote:
Hello,
While working on the trust permissions I found a typo in the
'ipanttrustauthoutgoing' attribute in default_attributes. Here is a fix.
I think the right question to ask - do we want to have
ipanttrustauth{incoming,outgoing} in default attributes?
I do not think so. It is supposed to hold a secret for the trust, I do not
think you want it displayed on your terminal by default - even if you have a
right to display it.
Yep, should not be returned by default to any command line utility.
Agreed. I wanted to remove it too the other day but forgot to file a
ticket.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
