Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-07-05 Thread Simo Sorce
On Tue, 2011-07-05 at 10:53 -0400, Dmitri Pal wrote: > I disagree with the server side UI changes. > IMO the IPA server should detect the DENY rules at the upgrade step > and > fail the upgrade asking administrator to remove the rules first. No, upgrades time is the wrong time to ask for complex c

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-07-05 Thread Dmitri Pal
On 07/01/2011 10:28 AM, Simo Sorce wrote: > On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > >> By removing the deny rules, do we break compatibility with anything else >> than the IPA tech preview in RHEL and upstream FreeIPA 2.0? > > Ok we've had a somewhat heated discussion internally a

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-07-01 Thread Simo Sorce
On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > By removing the deny rules, do we break compatibility with anything else > than the IPA tech preview in RHEL and upstream FreeIPA 2.0? Ok we've had a somewhat heated discussion internally about how to deal with the transition phase for th

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-06-29 Thread JR Aquino
> >> >> I think that an explicit allow list is usually way better because with >> deny rules it's easy to fail to enumerate all entities that should be >> denied, resulting in allowing access we didn't want to. >> >> However, does anyone still remember why we opted for deny rules during >> desig

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-06-29 Thread Dmitri Pal
> > I think that an explicit allow list is usually way better because with > deny rules it's easy to fail to enumerate all entities that should be > denied, resulting in allowing access we didn't want to. > > However, does anyone still remember why we opted for deny rules during > design phase in

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-06-29 Thread Simo Sorce
On Wed, 2011-06-29 at 16:25 -0400, Jakub Hrozek wrote: > On 06/29/2011 04:00 PM, Stephen Gallagher wrote: > > We discussed today on the FreeIPA status meeting the possibility of > > dropping support for DENY rules from the HBAC specification. I'm > > submitting it for discussion. Specifically, I'm

Re: [Freeipa-devel] Proposal: drop DENY rules from HBAC

2011-06-29 Thread Jakub Hrozek
On 06/29/2011 04:00 PM, Stephen Gallagher wrote: We discussed today on the FreeIPA status meeting the possibility of dropping support for DENY rules from the HBAC specification. I'm submitting it for discussion. Specifically, I'm looking to hear whether there any any FreeIPA admins out there that