[Freeipa-devel] [WIP] Add command to test HBAC rules

Alexander Bokovoy abokovoy at redhat.com
Mon Jul 25 17:01:45 UTC 2011


On 25.07.2011 19:57, Jenny Galipeau wrote:
>> 1. No option specified. Default case, run simulation against all
>> enabled
>> IPA rules.
>>
>> 2. --rules specified. Run simulation against only those rules in
>> --rules.
>>
>> 3. --rules and --enabled specified. Run simulation against all enabled
>> IPA rules _and_ additionally enable those in --rules. This is a case
>> of
>> testing new HBAC rules before going to production.
> 
> If you are not going to target specific rules, do you still have to supply the --rules option on the command line?  I would think just --enabled or --disabled?
By default, if you don't supply --rules, --enabled, or --disabled, you
are targeting all enabled IPA rules (case 1 above). This is default
because this is what people would probably like to test: whether user is
able to access the service.

So, default one (no --rules, --enabled, or disabled) would imply --enabled.

>> During test simulation of such access granting it is important to
>> understand which rule has caused a problem, be it excessive access
>> grant
>> or premature deny. '--detail' is an option which allows to see how
>> simulation went, which rules granted access and which denied.
> 
> Got it , so maybe it was just the wording in the help output that confused me.  "Details of the rule(s) being validated" ?
May be "Show which rules are passed, denied, and invalid"?


-- 
/ Alexander Bokovoy




More information about the Freeipa-devel mailing list