On 11/06/2012 11:07 PM, Dmitri Pal wrote:
On 11/06/2012 02:09 PM, Simo Sorce wrote:
> On Tue, 2012-11-06 at 14:00 -0500, Stephen Gallagher wrote:
>> On Tue 06 Nov 2012 01:54:46 PM EST, Dmitri Pal wrote:
>>> On 11/06/2012 01:45 PM, Simo Sorce wrote:
>>>> • If all lists are empty, access is granted
>>>> • If any list is provided, the order of evaluation is
>>>> allow,deny. This means that any matching deny rule
will
>>>> supersede any matched allow rule.
>>>> • If either or both "allow" lists are
provided, all
>>>> users are denied unless they appear in the list.
>>>> • If only "deny" lists are provided, all
users are
>>>> granted access unless they appear in the list.
>> <snip>
>>> Following the first bullet in man page "if all lists are empty the
>>> access is granted".
>>> It works as advertised right?
>>> So I do not see why anything needs to be changed then.
>>>
>> Yeah, that phrasing certainly seems to make it pretty clear that
>> 'simple_allow_users = ' is an empty list. I would prefer that we not
>> change the meaning of this because it *would* be a
>> backwards-incompatible change. This strikes me as something we could
>> stick in a FAQ somewhere: "Be wary if you are using automated tools to
>> generate this option. Specifying no values here is equivalent to
>> omitting the option entirely. If you really want to specify no users
>> are allowed, it's preferable to use 'access_provider = deny'."
> Agreed, let's kill off this thread and the proposal.
> Sorry Ondrej and Stef, seem like changing this is just not desirable.
>
> Simo.
>
ack. IMO it should be just clarified in the man page.
patch for manpage attached
O.
--
Ondrej Kos
Associate Software Engineer
Identity Management
Red Hat Czech
phone: +420-532-294-558
cell: +420-736-417-909
ext: 82-62558
loc: 1013 Brno 1 office
irc: okos @ #brno