Bug 62518 - Denying a specific user puts incorrect config in sssd.conf
Summary: Denying a specific user puts incorrect config in sssd.conf
Status: RESOLVED FIXED
Alias: None
Product: realmd
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on: 60628
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-19 11:47 UTC by Kaushik
Modified: 2013-04-26 14:33 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:


Attachments
Use a dollar sign as our simple_allow_users placeholder (2.51 KB, patch)
2013-04-12 11:50 UTC, Stef Walter
Details | Splinter Review
Clarify realm permit/deny commands (10.38 KB, patch)
2013-04-12 11:50 UTC, Stef Walter
Details | Splinter Review
Don't print usage info when invalid options (715 bytes, patch)
2013-04-12 11:50 UTC, Stef Walter
Details | Splinter Review
Use a dollar sign as our simple_allow_users placeholder (2.09 KB, patch)
2013-04-12 12:22 UTC, Stef Walter
Details | Splinter Review

Description Kaushik 2013-03-19 11:47:21 UTC
Denying specific user puts incorrect config of simple_allow_users in sssd.conf

On executing "realm deny SSSDAD\\tuser2", sssd.conf has:
simple_allow_users = ,

Functionally, this configuration denies not just tuser2, but all users are denied.
Comment 1 Stef Walter 2013-04-12 10:50:39 UTC
Good point. 

realmd doesn't actually manage a deny list for accounts. Will change around the 'realm' command options to make this more clear.
Comment 2 Stef Walter 2013-04-12 11:50:27 UTC
Created attachment 77866 [details] [review]
Use a dollar sign as our simple_allow_users placeholder

We have to use a placeholder to get sssd to recognize that the
simple_allow_users is to allow no users to login.

Simo recommended using a dollar sign instead of a comma.
Comment 3 Stef Walter 2013-04-12 11:50:33 UTC
Created attachment 77867 [details] [review]
Clarify realm permit/deny commands

 * Deny is not able to add specific users to a blacklist.
 * Add --withdraw options for removing users from the permitted list
 * Compatibility to fall through with previous behavior
 * Better messages when arguments are invalid
Comment 4 Stef Walter 2013-04-12 11:50:38 UTC
Created attachment 77868 [details] [review]
Don't print usage info when invalid options

When a realm command prints out a failure about invalid options it
gets lost near the top of the big usage information. This was
frustrating, until now.
Comment 5 Stef Walter 2013-04-12 12:22:18 UTC
Created attachment 77872 [details] [review]
Use a dollar sign as our simple_allow_users placeholder

Fix a regression in the parsing with this second patch.
Comment 6 Stef Walter 2013-04-12 14:37:58 UTC
Yassir, this is another patch I would appreciate review of.
Comment 7 Stef Walter 2013-04-17 07:21:41 UTC
Attachment 77867 [details] pushed as a66334e - Clarify realm permit/deny commands
Attachment 77872 [details] pushed as ef9404f - Use a dollar sign as our simple_allow_users placeholder

These are things that may cause confusion on the test day. Since this is unrelated to the internal service code paths, I've looked these over again, and pushed without further review.
Comment 8 Stef Walter 2013-04-26 14:33:46 UTC
Attachment 77868 [details] pushed as 8f69db6 - Don't print usage info when invalid options


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.