On Tue, 2011-07-05 at 10:53 -0400, Dmitri Pal wrote:
> I disagree with the server side UI changes.
> IMO the IPA server should detect the DENY rules at the upgrade step
> and
> fail the upgrade asking administrator to remove the rules first.
No, upgrades time is the wrong time to ask for complex c
On 07/01/2011 10:28 AM, Simo Sorce wrote:
> On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote:
>
>> By removing the deny rules, do we break compatibility with anything else
>> than the IPA tech preview in RHEL and upstream FreeIPA 2.0?
>
> Ok we've had a somewhat heated discussion internally a
On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote:
> By removing the deny rules, do we break compatibility with anything else
> than the IPA tech preview in RHEL and upstream FreeIPA 2.0?
Ok we've had a somewhat heated discussion internally about how to deal
with the transition phase for th
>
>>
>> I think that an explicit allow list is usually way better because with
>> deny rules it's easy to fail to enumerate all entities that should be
>> denied, resulting in allowing access we didn't want to.
>>
>> However, does anyone still remember why we opted for deny rules during
>> desig
>
> I think that an explicit allow list is usually way better because with
> deny rules it's easy to fail to enumerate all entities that should be
> denied, resulting in allowing access we didn't want to.
>
> However, does anyone still remember why we opted for deny rules during
> design phase in
On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote:
> On 06/29/2011 04:00 PM, Stephen Gallagher wrote:
> > We discussed today on the FreeIPA status meeting the possibility of
> > dropping support for DENY rules from the HBAC specification. I'm
> > submitting it for discussion. Specifically, I'm
On 06/29/2011 04:00 PM, Stephen Gallagher wrote:
We discussed today on the FreeIPA status meeting the possibility of
dropping support for DENY rules from the HBAC specification. I'm
submitting it for discussion. Specifically, I'm looking to hear whether
there any any FreeIPA admins out there that
