#943 Validate HBAC rules for completeness
Closed: Fixed None Opened 10 years ago by rcritten.

The current python bindings for the HBAC evaluator library returns a HBAC_EVAL_DENY if an incomplete rule is presented.

We've found that people have a hard time crafting that first HBAC rule because there are so many required pieces and it takes multiple steps to create one.

I think it would be helpful if we could generate an exception saying "Rule x is missing y" so they know the rule will never work.


The logic should be added at the library level first, then exposed in the bindings.

Being an ABI change, this should REALLY be done before we have our first official release of the library. So making this a blocker for 1.6.0.

component: SSSD => IPA Provider
milestone: NEEDS_TRIAGE => SSSD 1.6.0
priority: major => blocker

Fields changed

owner: somebody => sgallagh
status: new => assigned

Library has added a validator routine with a72e928

Reassigning to Jakub to finish up the python bindings.

owner: sgallagh => jhrozek
patch: 0 => 1
status: assigned => new
summary: RFE: raise exception when incomplete HBAC rule is evaluated => Validate HBAC rules for completeness

The python bindings were committed to master in 1e710ac

resolution: => fixed
status: new => closed

Backported to sssd-1-5

- 84b3c3c55b0aea0fef56c82fd3917f915797964b
- d5a40850e1b9b5647a6f6cbfe59cb83403a03b37

milestone: SSSD 1.6.0 => SSSD 1.5.12

Fields changed

rhbz: => 0

Metadata Update from @rcritten:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.5.12

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1985

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.