Re: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.

[Endi Sukma Dewata]

On 10/26/2011 2:29 AM, Petr Vobornik wrote:

ACK


Pushed to master.

--
Endi S. Dewata

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.

[Petr Vobornik]

On 10/25/2011 10:10 PM, Endi Sukma Dewata wrote:

On 10/25/2011 10:40 AM, Petr Vobornik wrote:

1) Some references remained in testing data: hbacrule_find.json,
hbacrule_show.json. Anyway these don't do any harm.


Fixed.


2) Remaining string in internal.py: hbacrule.deny (couldn't find any
usage).


The hbacrule.allow isn't used either. Fixed ipa_init.json too.


ACK

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.

[Endi Sukma Dewata]

On 10/25/2011 10:40 AM, Petr Vobornik wrote:

1) Some references remained in testing data: hbacrule_find.json,
hbacrule_show.json. Anyway these don't do any harm.


Fixed.


2) Remaining string in internal.py: hbacrule.deny (couldn't find any
usage).


The hbacrule.allow isn't used either. Fixed ipa_init.json too.

--
Endi S. Dewata
From d15c1a02d6bce6df246688cb0fed9fbc76ccd216 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata 
Date: Mon, 24 Oct 2011 18:18:10 -0500
Subject: [PATCH] Removed HBAC deny rule warning.

The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444
---
 freeipa.spec.in |7 +--
 install/html/Makefile.am|1 -
 install/html/hbac-deny-remove.html  |   83 ---
 install/ui/hbac.js  |   44 
 install/ui/ipa.css  |5 --
 install/ui/ipa.js   |9 ---
 install/ui/test/bin/update_ipa_init.sh  |   27 +-
 install/ui/test/data/hbacrule_find.json |   40 +--
 install/ui/test/data/hbacrule_show.json |2 +-
 install/ui/test/data/ipa_init.json  |   11 +
 install/ui/webui.js |6 --
 ipalib/plugins/internal.py  |2 -
 12 files changed, 32 insertions(+), 205 deletions(-)
 delete mode 100644 install/html/hbac-deny-remove.html

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 56127037e31a9ed91c9f305f2e80b6f0ccb40189..11729b23a1030c9bf97f991a70e5bbef4f1229fd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -342,8 +342,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
 %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
 %{buildroot}%{_usr}/share/ipa/html/browserconfig.html
-ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
-%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
 %{buildroot}%{_usr}/share/ipa/html/ipa_error.css
 
@@ -501,7 +499,6 @@ fi
 %{_usr}/share/ipa/html/ssbrowser.html
 %{_usr}/share/ipa/html/browserconfig.html
 %{_usr}/share/ipa/html/unauthorized.html
-%{_usr}/share/ipa/html/hbac-deny-remove.html
 %{_usr}/share/ipa/html/ipa_error.css
 %dir %{_usr}/share/ipa/migration
 %{_usr}/share/ipa/migration/error.html
@@ -526,7 +523,6 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
 %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
@@ -619,6 +615,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Mon Oct 24 2011 Endi S. Dewata  - 2.99.0-9
+- Removed hbac-deny-remove.html
+
 * Fri Oct 21 2011 Alexander Bokovoy  - 2.99.0-8
 - Default to systemd for Fedora 16 and onwards
 
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index c310be6d2351bd8268368f971e93d33ec1e6bf20..46e8683c855bd093cf609b1fbc5e3df2d771e9de 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,7 +5,6 @@ app_DATA =  \
 	ssbrowser.html			\
 	browserconfig.html   	\
 	unauthorized.html   	\
-hbac-deny-remove.html		\
 	ipa_error.css			\
 	$(NULL)
 
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
deleted file mode 100644
index 7debfea769503035e1c402dccd082eb1721a80f5..
--- a/install/html/hbac-deny-remove.html
+++ /dev/null
@@ -1,83 +0,0 @@
-
-
-
-
-IPA: Identity Policy Audit
-
-
-
-
-
-
-
-
-
-
-
-
-  
-
-
-
-   
-Removal of HBAC Deny Rules.
-FreeIPA has dropped support for DENY rules from the HBAC
-  specification. 
-The former design of HBAC specifies that
-   
-  If no ALLOW rules match, access is denied
-  If one or more ALLOW rules match and no DENY rules match,
-   access is  allowed
- If one or more DENY rules match, access is denied
-   
-Thus, DENY rules exist only to provide exceptions from the ALLOW
-  rules. There exists no ALLOW+DENY combination that cannot be
-  constructed from ALLOW rules only.[1]
-
-DENY rules introduce a lot of edge-cases for evaluation. The most
-  important of which is the availability of the group membership for
-  the user logging in. Depending on the mechanism used to log in (for
-  example, GSSAPI over SSH or cross-realm

Re: [Freeipa-devel] [PATCH] 296 Removed HBAC deny rule warning.

[Petr Vobornik]

On 10/25/2011 02:01 AM, Endi Sukma Dewata wrote:

The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444



Just a minor things:

1) Some references remained in testing data: hbacrule_find.json, 
hbacrule_show.json. Anyway these don't do any harm.


2) Remaining string in internal.py: hbacrule.deny (couldn't find any usage).

Maybe these don't even need to be fixed. (-> ACK on your judgement)

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel