On Thu, Jun 09, 2011 at 09:34:51AM +0200, Jakub Hrozek wrote:
On 06/09/2011 09:31 AM, Jakub Hrozek wrote:
> On 06/07/2011 03:11 PM, Jakub Hrozek wrote:
>> On 06/07/2011 02:46 PM, Jakub Hrozek wrote:
>>> Hi,
>>>
>>> the attached patch provides a new python module "pyhbac" that
implements
>>> python bindings for the HBAC evaluator library.
>>>
>>> The patch depends on Stephen's last patches which are on review as of
>>> now, but the test suite passed, so I think the bindings can be reviewed
>>> in parallel.
>>>
>>> "make check" loads the built python module from tree by doing
some
>>> sys.path magic. If you'd like to experiment with the module yourself,
>>> you must either install it or set PYTHONPATH to $SSSD_BUILD_DIR/.libs
>>>
>>>
>>
>> btw when I started reading Stephen's patches I noticed that there is a
>> new subpackage libipa_hbac - the module should belong there.
>>
>> Also I left one FIXME in Makefile.am -- I'll fix these two issues with
>> any other that will come up during the review :-)
>>
>
> I've done enough changes so that the patch needs resending. I got rid of
> talloc in favor of Py_Malloc - it would be wasteful if just the bindings
> dragged in talloc and I places the module in libipa_hbac-python subpackage.
>
And now with the patch attached.
Another revision that reflects the recent changes is attached.
The C evaluate() function passes the hbac_info structure on either success
or failure as an output parameter. The python equivalent returns just
an integer status code and sets a new HbacRequest attribute "rule_name"
to the name of the rule that matched on success or to None in case of
access denial or error.