Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 7/6/2011 4:44 PM, Adam Young wrote: On 07/06/2011 04:51 PM, Adam Young wrote: On 07/06/2011 03:54 PM, Adam Young wrote: On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote: On 7/6/2011 10:40 AM, Adam Young wrote: Rebased. Also, updated the hbacrule_find.json sample data to show to the deny rules in static view Some issues: 1. The red 'deny' text doesn't line up with the colum header or 'allow' text. The padding-left in .hbac-deny-rule class should be removed. Fixed 2. The link to the hbac-deny-remove.html on live server is broken. On live server the file is located under /ipa/config path instead of /ipa/html. Fixed. Now wokrs in both static and live server 3. There are untranslated messages in hbac.js lines 1016, 1021, 1025, 1032, 1037. Please mark them with 'I18n' for later clean up. Not worth the effort for this 4. Optional: Ideally the setup() in the accessruletype column should call the superclass' setup() then just add the 'hbac-deny-rule' class to the container. For this particular case it's not a problem because the possible values are only 'allow' or 'deny'. However if the column is linked or uses some kind of formatting it will not be rendered correctly. Again, since this is a short term fix, not worth the effort. ACK and pushed to master. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 07/06/2011 04:51 PM, Adam Young wrote:
On 07/06/2011 03:54 PM, Adam Young wrote:
On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote:
On 7/6/2011 10:40 AM, Adam Young wrote:
Rebased. Also, updated the hbacrule_find.json sample data to show
to the
deny rules in static view
Some issues:
1. The red 'deny' text doesn't line up with the colum header or
'allow' text. The padding-left in .hbac-deny-rule class should be
removed.
Fixed
2. The link to the hbac-deny-remove.html on live server is broken.
On live server the file is located under /ipa/config path instead of
/ipa/html.
Fixed. Now wokrs in both static and live server
3. There are untranslated messages in hbac.js lines 1016, 1021,
1025, 1032, 1037. Please mark them with 'I18n' for later clean up.
Not worth the effort for this
4. Optional: Ideally the setup() in the accessruletype column should
call the superclass' setup() then just add the 'hbac-deny-rule'
class to the container. For this particular case it's not a problem
because the possible values are only 'allow' or 'deny'. However if
the column is linked or uses some kind of formatting it will not be
rendered correctly.
Again, since this is a short term fix, not worth the effort.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From 21eaddbbf573e1e9997517035df0ed5a90614959 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
---
freeipa.spec.in |7 +++
install/html/Makefile.am|1 +
install/html/hbac-deny-remove.html | 82 +++
install/ui/hbac.js | 53 +++-
install/ui/ipa.css |5 ++
install/ui/ipa.js |9 +++
install/ui/test/bin/update_ipa_init.sh |2 +-
install/ui/test/data/hbacrule_find.json | 58 +++---
install/ui/test/data/ipa_init.json | 66 +---
install/ui/webui.js |6 ++
install/ui/widget.js|5 +-
11 files changed, 262 insertions(+), 32 deletions(-)
create mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5ba38cb0272aa783702a34396da51a05779ef05f..276001ae65758c3915561defa57c9154a269a453 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -261,6 +261,8 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
+%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -386,6 +388,7 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
+%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -412,6 +415,7 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
+%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%{_usr}/share/ipa/ipa.conf
@@ -500,6 +504,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Jul 6 2011 Adam Young - 2.0.90-5
+- Add HTML file describing issues with HBAC deny rules
+
* Fri Jun 17 2011 Rob Crittenden - 2.0.90-4
- Ship ipa-ca-install utility
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index 46e8683c855bd093cf609b1fbc5e3df2d771e9de..c310be6d2351bd8268368f971e93d33ec1e6bf20 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,6 +5,7 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
+hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/ins
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 07/06/2011 03:54 PM, Adam Young wrote:
On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote:
On 7/6/2011 10:40 AM, Adam Young wrote:
Rebased. Also, updated the hbacrule_find.json sample data to show to
the
deny rules in static view
Some issues:
1. The red 'deny' text doesn't line up with the colum header or
'allow' text. The padding-left in .hbac-deny-rule class should be
removed.
Fixed
2. The link to the hbac-deny-remove.html on live server is broken. On
live server the file is located under /ipa/config path instead of
/ipa/html.
Fixed. Now wokrs in both static and live server
3. There are untranslated messages in hbac.js lines 1016, 1021, 1025,
1032, 1037. Please mark them with 'I18n' for later clean up.
Not worth the effort for this
4. Optional: Ideally the setup() in the accessruletype column should
call the superclass' setup() then just add the 'hbac-deny-rule' class
to the container. For this particular case it's not a problem because
the possible values are only 'allow' or 'deny'. However if the column
is linked or uses some kind of formatting it will not be rendered
correctly.
Again, since this is a short term fix, not worth the effort.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
From b14f80e1f67b00e39a78902a90cbeeb5c9744ca5 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
---
freeipa.spec.in |7 +++
install/html/Makefile.am|1 +
install/html/hbac-deny-remove.html | 82 +++
install/ui/hbac.js | 53 +++-
install/ui/ipa.css |5 ++
install/ui/ipa.js |9 +++
install/ui/test/bin/update_ipa_init.sh |2 +-
install/ui/test/data/hbacrule_find.json | 58 +++---
install/ui/test/data/ipa_init.json | 66 +---
install/ui/webui.js |9 +++
install/ui/widget.js|5 +-
11 files changed, 265 insertions(+), 32 deletions(-)
create mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5ba38cb0272aa783702a34396da51a05779ef05f..276001ae65758c3915561defa57c9154a269a453 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -261,6 +261,8 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
+%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -386,6 +388,7 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
+%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -412,6 +415,7 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
+%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%{_usr}/share/ipa/ipa.conf
@@ -500,6 +504,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Jul 6 2011 Adam Young - 2.0.90-5
+- Add HTML file describing issues with HBAC deny rules
+
* Fri Jun 17 2011 Rob Crittenden - 2.0.90-4
- Ship ipa-ca-install utility
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index 46e8683c855bd093cf609b1fbc5e3df2d771e9de..c310be6d2351bd8268368f971e93d33ec1e6bf20 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,6 +5,7 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
+hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
new file mode 100644
index ..987819cd21629b2de8fe71c9d140dae9ef049bb2
--- /dev/null
+++ b/install/html/hbac-deny-remove.html
@@
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 07/06/2011 03:24 PM, Endi Sukma Dewata wrote:
On 7/6/2011 10:40 AM, Adam Young wrote:
Rebased. Also, updated the hbacrule_find.json sample data to show to the
deny rules in static view
Some issues:
1. The red 'deny' text doesn't line up with the colum header or
'allow' text. The padding-left in .hbac-deny-rule class should be
removed.
Fixed
2. The link to the hbac-deny-remove.html on live server is broken. On
live server the file is located under /ipa/config path instead of
/ipa/html.
Fixed. Now wokrs in both static and live server
3. There are untranslated messages in hbac.js lines 1016, 1021, 1025,
1032, 1037. Please mark them with 'I18n' for later clean up.
Not worth the effort for this
4. Optional: Ideally the setup() in the accessruletype column should
call the superclass' setup() then just add the 'hbac-deny-rule' class
to the container. For this particular case it's not a problem because
the possible values are only 'allow' or 'deny'. However if the column
is linked or uses some kind of formatting it will not be rendered
correctly.
Again, since this is a short term fix, not worth the effort.
From 429a8f18cc0767c5d21a61e17381fc499071da56 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
https://fedorahosted.org/freeipa/ticket/1421
---
freeipa.spec.in |7 +++
install/html/Makefile.am|1 +
install/html/hbac-deny-remove.html | 82 +++
install/ui/hbac.js | 53 +++-
install/ui/ipa.css |5 ++
install/ui/ipa.js |9 +++
install/ui/test/bin/update_ipa_init.sh |2 +-
install/ui/test/data/hbacrule_find.json | 58 +++---
install/ui/test/data/ipa_init.json | 66 +---
install/ui/webui.js |4 ++
install/ui/widget.js|5 +-
11 files changed, 260 insertions(+), 32 deletions(-)
create mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5ba38cb0272aa783702a34396da51a05779ef05f..276001ae65758c3915561defa57c9154a269a453 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -261,6 +261,8 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
+%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -386,6 +388,7 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
+%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -412,6 +415,7 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
+%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%{_usr}/share/ipa/ipa.conf
@@ -500,6 +504,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Jul 6 2011 Adam Young - 2.0.90-5
+- Add HTML file describing issues with HBAC deny rules
+
* Fri Jun 17 2011 Rob Crittenden - 2.0.90-4
- Ship ipa-ca-install utility
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index 46e8683c855bd093cf609b1fbc5e3df2d771e9de..c310be6d2351bd8268368f971e93d33ec1e6bf20 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,6 +5,7 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
+hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
new file mode 100644
index ..987819cd21629b2de8fe71c9d140dae9ef049bb2
--- /dev/null
+++ b/install/html/hbac-deny-remove.html
@@ -0,0 +1,82 @@
+
+
+
+
+IPA: Identity Policy Audit
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Removal of HBAC Deny Rules.
+FreeIPA has dropped support for DENY rules from the HBAC
+ specification.
+
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 7/6/2011 10:40 AM, Adam Young wrote: Rebased. Also, updated the hbacrule_find.json sample data to show to the deny rules in static view Some issues: 1. The red 'deny' text doesn't line up with the colum header or 'allow' text. The padding-left in .hbac-deny-rule class should be removed. 2. The link to the hbac-deny-remove.html on live server is broken. On live server the file is located under /ipa/config path instead of /ipa/html. 3. There are untranslated messages in hbac.js lines 1016, 1021, 1025, 1032, 1037. Please mark them with 'I18n' for later clean up. 4. Optional: Ideally the setup() in the accessruletype column should call the superclass' setup() then just add the 'hbac-deny-rule' class to the container. For this particular case it's not a problem because the possible values are only 'allow' or 'deny'. However if the column is linked or uses some kind of formatting it will not be rendered correctly. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 07/06/2011 11:40 AM, Adam Young wrote:
On 07/06/2011 11:13 AM, Adam Young wrote:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased. Also, updated the hbacrule_find.json sample data to show to
the deny rules in static view
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Now has a page explaining why we are removing the deny rules, and a link
to it that opens in a new window.
From def2e07cc270d0e5a752f25a0c6766ab7ce144e5 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
https://fedorahosted.org/freeipa/ticket/1421
---
freeipa.spec.in |7 +++
install/html/Makefile.am|1 +
install/html/hbac-deny-remove.html | 82 +++
install/ui/hbac.js | 48 ++-
install/ui/ipa.css |6 ++
install/ui/ipa.js |9 +++
install/ui/test/bin/update_ipa_init.sh |2 +-
install/ui/test/data/hbacrule_find.json | 58 +++---
install/ui/test/data/ipa_init.json | 66 +---
install/ui/webui.js |4 ++
install/ui/widget.js|5 +-
11 files changed, 256 insertions(+), 32 deletions(-)
create mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 5ba38cb0272aa783702a34396da51a05779ef05f..276001ae65758c3915561defa57c9154a269a453 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -261,6 +261,8 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
+ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
+%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -386,6 +388,7 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
+%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -412,6 +415,7 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
+%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%{_usr}/share/ipa/ipa.conf
@@ -500,6 +504,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Jul 6 2011 Adam Young - 2.0.90-5
+- Add HTML file describing issues with HBAC deny rules
+
* Fri Jun 17 2011 Rob Crittenden - 2.0.90-4
- Ship ipa-ca-install utility
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index 46e8683c855bd093cf609b1fbc5e3df2d771e9de..c310be6d2351bd8268368f971e93d33ec1e6bf20 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,6 +5,7 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
+hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
new file mode 100644
index ..987819cd21629b2de8fe71c9d140dae9ef049bb2
--- /dev/null
+++ b/install/html/hbac-deny-remove.html
@@ -0,0 +1,82 @@
+
+
+
+
+IPA: Identity Policy Audit
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Removal of HBAC Deny Rules.
+FreeIPA has dropped support for DENY rules from the HBAC
+ specification.
+The former design of HBAC specifies that
+
+ If no ALLOW rules match, access is denied
+ If one or more ALLOW rules match and no DENY rules match,
+ access is allowed
+ If one or more DENY rules match, access is denied
+
+Thus, DENY rules exist only to provide exceptions from the ALLOW
+ rules. There exists no ALLOW+DENY combination that cannot be
+ constructed from ALLOW rules only.[1]
+
+DENY rules introduce a lot of edg
Re: [Freeipa-devel] [PATCH] 0264-HBAC-deny-warning.
On 07/06/2011 11:13 AM, Adam Young wrote:
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased. Also, updated the hbacrule_find.json sample data to show to
the deny rules in static view
From 480dcbe25309e4c4529ef043f7ff44cb15ae2a68 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
https://fedorahosted.org/freeipa/ticket/1421
---
install/ui/hbac.js | 42 -
install/ui/ipa.css |6 ++
install/ui/ipa.js |9
install/ui/test/bin/update_ipa_init.sh |2 +-
install/ui/test/data/hbacrule_find.json | 58 +++
install/ui/test/data/ipa_init.json | 78 ++-
install/ui/webui.js |4 ++
install/ui/widget.js|5 +-
8 files changed, 159 insertions(+), 45 deletions(-)
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index c082056bb5005d6698eea1015fa50586ad9c415d..4386a4e94c24f753a55740aaa1b331e84812e4c5 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -26,7 +26,21 @@ IPA.entity_factories.hbacrule = function () {
return IPA.entity_builder().
entity('hbacrule').
search_facet({
-columns:['cn','usercategory','hostcategory','ipaenabledflag',
+columns:['cn',
+ {
+ factory: IPA.column,
+ name:'accessruletype',
+ setup : function(container,record){
+ container.empty();
+ var value = record[this.name];
+ value = value ? value.toString() : '';
+ if (value === 'deny'){
+ container.addClass('hbac-deny-rule');
+ }
+ container.append(value);
+ }
+ },
+ 'usercategory','hostcategory','ipaenabledflag',
'servicecategory','sourcehostcategory']
}).
details_facet({
@@ -996,3 +1010,29 @@ IPA.hbacrule_accesstime_widget = function (spec) {
return that;
};
+
+IPA.hbac_deny_warning_dialog = function (container) {
+var dialog = IPA.dialog({
+'title': 'HBAC Deny Rules found'
+});
+
+dialog.create = function() {
+dialog.container.append(
+"HBAC rules with type deny have been found."+
+" These rules have been deprecated." +
+" Please remove them, and restructure the HBAC rules." );
+};
+
+dialog.add_button('Edit HBAC Rules', function() {
+dialog.close();
+IPA.nav.show_page('hbacrule', 'search');
+});
+
+dialog.add_button('Ignore for now', function() {
+dialog.close();
+});
+
+dialog.init();
+
+dialog.open();
+};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 38b5a9118c63c8e1909e91a3e669a233c5ea1cb4..599441b2216f2a00b23856cb83ef29d4ae8cf087 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -645,6 +645,12 @@ div.tabs {
padding-left: 0.5em;
}
+.hbac-deny-rule {
+padding-left: 0.5em;
+color: red;
+}
+
+
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 4f194739b817f80779ff49af5a5092339ddca80f..4b505235bcc8467d50e9143a0842982a5ed81628 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -123,6 +123,15 @@ var IPA = ( function () {
}
}));
+batch.add_command(IPA.command({
+entity: 'hbacrule',
+method: 'find',
+options:{"accessruletype":"deny"},
+on_success: function(data, text_status, xhr) {
+that.hbac_deny_rules = data;
+}
+}));
+
batch.execute();
};
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 5cdeacaa42137572c96f4fe9dd5a7a3b3a120153..23852a2693ac72fb29a6bf468e05caedb7851065 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -17,4 +17,4 @@ fi
-curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"i18n_messages","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, {"method":"env","params":[[],{}]}, {"method":"dns_is_enabled","params":[[],{}]} ],{}],"id":1}' -X POST https://`hostname`/ipa/json
