On 10/25/2011 10:40 AM, Petr Vobornik wrote:
1) Some references remained in testing data: hbacrule_find.json,
hbacrule_show.json. Anyway these don't do any harm.
Fixed.
2) Remaining string in internal.py: hbacrule.deny (couldn't find any
usage).
The hbacrule.allow isn't used either. Fixed ipa_init.json too.
--
Endi S. Dewata
From d15c1a02d6bce6df246688cb0fed9fbc76ccd216 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata
Date: Mon, 24 Oct 2011 18:18:10 -0500
Subject: [PATCH] Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
---
freeipa.spec.in |7 +--
install/html/Makefile.am|1 -
install/html/hbac-deny-remove.html | 83 ---
install/ui/hbac.js | 44
install/ui/ipa.css |5 --
install/ui/ipa.js |9 ---
install/ui/test/bin/update_ipa_init.sh | 27 +-
install/ui/test/data/hbacrule_find.json | 40 +--
install/ui/test/data/hbacrule_show.json |2 +-
install/ui/test/data/ipa_init.json | 11 +
install/ui/webui.js |6 --
ipalib/plugins/internal.py |2 -
12 files changed, 32 insertions(+), 205 deletions(-)
delete mode 100644 install/html/hbac-deny-remove.html
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 56127037e31a9ed91c9f305f2e80b6f0ccb40189..11729b23a1030c9bf97f991a70e5bbef4f1229fd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -342,8 +342,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
-ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
-%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@@ -501,7 +499,6 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
-%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -526,7 +523,6 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
@@ -619,6 +615,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Mon Oct 24 2011 Endi S. Dewata - 2.99.0-9
+- Removed hbac-deny-remove.html
+
* Fri Oct 21 2011 Alexander Bokovoy - 2.99.0-8
- Default to systemd for Fedora 16 and onwards
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index c310be6d2351bd8268368f971e93d33ec1e6bf20..46e8683c855bd093cf609b1fbc5e3df2d771e9de 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,7 +5,6 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
-hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
deleted file mode 100644
index 7debfea769503035e1c402dccd082eb1721a80f5..
--- a/install/html/hbac-deny-remove.html
+++ /dev/null
@@ -1,83 +0,0 @@
-
-
-
-
-IPA: Identity Policy Audit
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Removal of HBAC Deny Rules.
-FreeIPA has dropped support for DENY rules from the HBAC
- specification.
-The former design of HBAC specifies that
-
- If no ALLOW rules match, access is denied
- If one or more ALLOW rules match and no DENY rules match,
- access is allowed
- If one or more DENY rules match, access is denied
-
-Thus, DENY rules exist only to provide exceptions from the ALLOW
- rules. There exists no ALLOW+DENY combination that cannot be
- constructed from ALLOW rules only.[1]
-
-DENY rules introduce a lot of edge-cases for evaluation. The most
- important of which is the availability of the group membership for
- the user logging in. Depending on the mechanism used to log in (for
- example, GSSAPI over SSH or cross-realm