[Freeipa-devel] [SSSD] Proposed changes to the HBAC grammar
Jakub Hrozek
jhrozek at redhat.com
Fri Nov 19 12:41:09 UTC 2010
On Thu, Nov 18, 2010 at 03:17:02PM -0500, Simo Sorce wrote:
> On Thu, 18 Nov 2010 16:23:38 +0100
> Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 11/18/2010 02:24 PM, Simo Sorce wrote:
> > > On Thu, 18 Nov 2010 07:21:04 -0500
> > > Stephen Gallagher <sgallagh at redhat.com> wrote:
> > >
> > >> Doing the forward septets is easy (1*x..7*x), but the reverse
> > >> septets are more complicated (since they would be (y-1*x..y-7*x),
> > >> where y is the total number of days in the month (which also has
> > >> to account for leap years).
> > >>
> > >> I think it might be a nice enhancement, but I recommend that we not
> > >> include it right now, given the tight release schedule for FreeIPA
> > >> v2.
> > >
> > > As I said before it is a now or never condition.
> > > If you do not put it in now, then when you put it in, old clients
> > > will not understand the rule. And they will have only one option,
> > > always deny access, because they have no way to understand when it
> > > is ok to allow/deny it.
> > >
> > > Simo.
> > >
> >
> > In that case, should we have some version identifier, too? In case we
> > identify some flaw later on and need to change the format once again.
>
> And what should a client do when it finds a version it does not
> understand ?
>
> Simo.
>
At least log it. If the client finds a HBAC rule it does not understand
it would just error out (which is the better case, what if the syntax
in the new version was the same but semantics not?)
More information about the Freeipa-devel
mailing list