In order to address #4 we will need to expand the schema to account for allowcmdcategory and denycmdgategory:

1. The UI needs separate allow-command and deny-command categories for
   the "Run Command(s)" section. The CLI only has a single cmdcategory.

The cli can be coded to anticipate this change, but cannot fully take advantage of it until the schema is available.

Replying to [comment:2 jraquino]:

In order to address #4 we will need to expand the schema to account for allowcmdcategory and denycmdgategory:

1. The UI needs separate allow-command and deny-command categories for
   the "Run Command(s)" section. The CLI only has a single cmdcategory.

The cli can be coded to anticipate this change, but cannot fully take advantage of it until the schema is available.

Item 4 is correctly addressed in its current cli implementation. the command category attribute is implied as a permit when specifying cmdcategory=all, and is implied as a deny all if no data is present.

From Dmitri Pal:
Schema is correct. I do not know about CLI - do not have time to check
myself before tomorrow. But CLI should follow the logic I pasted in the
email.
The UI should follow the same logic I pasted below and this is what now
is reflected in the UI design.

If no memberAllowCmd, memberDenyCmd or cmdCategory attribute is
specified - no command is allowed
If cmdCategory is specified (only value is "all") all other
attributes are ignored and all commands are allowed
If cmdCategory is not specified

    If memberAllowCmd is specified it defines commands or groups of
    the commands that are allowed
    If memberDenyCmd is specified it defines commands or groups of
    the commands that are not allowed

Sudo support for external users and hosts
freeipa-jraquino-0009-SUDO-plugin-support-for-external-hosts-and-users.patch

Attached is the patch to provide cli support for external hosts and users.

This is accomplished similarly to the netgroup plugin.

If the plugin is input with a hostname/user that does not exist in the directory, the plugin will then assume that the User had intended for these objects to be inserted as 'external' entities. It accomplishes this in a post_callback.

Just like the netgroup plugin, this introduces a possible caveat where someone could mistype a user/host and have it inserted as an external entry, but the CLI attempts to reflect this in its output clearly stating that an External User or External Host has been added.

Please review.

Here is a sample sudorule containing external entries:
Contained herein are, externaluser, externalhost, as well as sudorunas and sudorunasgroup

dn: ipaUniqueID=8a9103b8-06cc-11e0-b481-8a3d259cb0b9,cn=sudorules,dc=example,dc=com
objectClass: ipaassociation
objectClass: ipasudorule
ipaEnabledFlag: TRUE
cn: tester
ipaUniqueID: 8a9103b8-06cc-11e0-b481-8a3d259cb0b9
ipaSudoRunAs: uid=admin,cn=users,cn=accounts,dc=example,dc=com
ipaSudoRunAsGroup: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
externalUser: testuser
externalHost: host1.example.com

Here is the final patch for sudorule external host and user support.
This patch also adds support for adding/removing IpaSudoOpt values. (We some how missed this till the last hour)

This addresses item #6 in ticket 570: (https://fedorahosted.org/freeipa/ticket/570)
(This ticket is remarked as critical and has a note: This blocks https://fedorahosted.org/freeipa/ticket/534.)

I have included modifications to the sudoplugin.py xmlrpc test to simplify review.

Please review and push.

Final patch for Item #6
freeipa-jraquino-0009-2-SUDO-plugin-support-for-external-hosts-and-users.patch

Patch ack'ed and pushed to master.
Ticket marked as closed.
Commit # fc8f7f9

There is a problem with item #5.

Currently we have the following attributes:

• ipasudorunasusercategory : Run-as user category
• ipasudorunas_user : Usernames of the run-as users
• ipasudorunasgroupcategory : Run-as group category
• ipasudorunasgroup_group : Groupnames of the run-as groups

What's missing is:

• ipasudorunas_group : Groupnames of the run-as users

Also, the following command only takes a --users parameter.

• sudorule-add-runasuser
• sudorule-remove-runasuser

They should also take a --groups parameter for the ipasudorunas_group.

A minor issue: to be consistent with the run-as groups, it might be better to use ipasudorunasuser_ instead of just ipasudorunas_.

There is a problem with item #6.

Currently we have the corresponding external attributes for the following attributes:
- memberuser_user -> externaluser
- memberhost_host -> externalhost

What's missing is the corresponding external attributes for the following attributes:
- memberuser_group
- memberhost_hostgroup

The latest spec doesn't seem to require external attributes for the following attributes:
- ipasudorunas_user
- ipasudorunas_group
- ipasudorunasgroup_group

Please disregard my last comment about item #6. There's a problem with the spec, the current implementation is correct, there's only externaluser and externalhost.

The issue with item #5 is still valid.

Fix for #5 and externalrunas users, groups, compat, and corrisponding tests
freeipa-jraquino-0013-fix-sudorule-runas-user-groups.patch

Patch has been ack and pushed to master. #5 has now been addressed.

commit 1ea31a0
Author: Jr Aquino jr.aquino@citrix.com
Date: Fri Jan 7 15:29:00 2011 -0800

And

commit fc8f7f9
Author: Jr Aquino jr.aquino@citrix.com
Date: Fri Dec 17 08:29:33 2010 -0800

commit ced639e
Author: Jr Aquino jr.aquino@citrix.com
Date: Mon Dec 13 10:00:59 2010 -0800

commit b23b391
Author: Jr Aquino jr.aquino@citrix.com
Date: Mon Dec 13 07:38:09 2010 -0800