Hi, the attached patch provides a new python module "pyhbac" that implements python bindings for the HBAC evaluator library. The patch depends on Stephen's last patches which are on review as of now, but the test suite passed, so I think the bindings can be reviewed in parallel. "make check" loads the built python module from tree by doing some sys.path magic. If you'd like to experiment with the module yourself, you must either install it or set PYTHONPATH to $SSSD_BUILD_DIR/.libs

On 06/07/2011 03:11 PM, Jakub Hrozek wrote: > On 06/07/2011 02:46 PM, Jakub Hrozek wrote: >> Hi, >> >> the attached patch provides a new python module "pyhbac" that implements >> python bindings for the HBAC evaluator library. >> >> The patch depends on Stephen's last patches which are on review as of >> now, but the test suite passed, so I think the bindings can be reviewed >> in parallel. >> >> "make check" loads the built python module from tree by doing some >> sys.path magic. If you'd like to experiment with the module yourself, >> you must either install it or set PYTHONPATH to $SSSD_BUILD_DIR/.libs >> >> > > btw when I started reading Stephen's patches I noticed that there is a > new subpackage libipa_hbac - the module should belong there. > > Also I left one FIXME in Makefile.am -- I'll fix these two issues with > any other that will come up during the review :-) > I've done enough changes so that the patch needs resending. I got rid of talloc in favor of Py_Malloc - it would be wasteful if just the bindings dragged in talloc and I places the module in libipa_hbac-python subpackage.

On Thu, Jun 09, 2011 at 09:34:51AM +0200, Jakub Hrozek wrote: > On 06/09/2011 09:31 AM, Jakub Hrozek wrote: > > On 06/07/2011 03:11 PM, Jakub Hrozek wrote: > >> On 06/07/2011 02:46 PM, Jakub Hrozek wrote: > >>> Hi, > >>> > >>> the attached patch provides a new python module "pyhbac" that implements > >>> python bindings for the HBAC evaluator library. > >>> > >>> The patch depends on Stephen's last patches which are on review as of > >>> now, but the test suite passed, so I think the bindings can be reviewed > >>> in parallel. > >>> > >>> "make check" loads the built python module from tree by doing some > >>> sys.path magic. If you'd like to experiment with the module yourself, > >>> you must either install it or set PYTHONPATH to $SSSD_BUILD_DIR/.libs > >>> > >>> > >> > >> btw when I started reading Stephen's patches I noticed that there is a > >> new subpackage libipa_hbac - the module should belong there. > >> > >> Also I left one FIXME in Makefile.am -- I'll fix these two issues with > >> any other that will come up during the review :-) > >> > > > > I've done enough changes so that the patch needs resending. I got rid of > > talloc in favor of Py_Malloc - it would be wasteful if just the bindings > > dragged in talloc and I places the module in libipa_hbac-python subpackage. > > > > And now with the patch attached. Another revision that reflects the recent changes is attached. The C evaluate() function passes the hbac_info structure on either success or failure as an output parameter. The python equivalent returns just an integer status code and sets a new HbacRequest attribute "rule_name" to the name of the rule that matched on success or to None in case of access denial or error.

On Fri, 2011-07-08 at 13:20 -0400, Stephen Gallagher wrote: > On Sat, 2011-07-02 at 01:27 +0200, Jakub Hrozek wrote: > > On Thu, Jun 09, 2011 at 09:34:51AM +0200, Jakub Hrozek wrote: > > > On 06/09/2011 09:31 AM, Jakub Hrozek wrote: > > > > On 06/07/2011 03:11 PM, Jakub Hrozek wrote: > > > >> On 06/07/2011 02:46 PM, Jakub Hrozek wrote: > > > >>> Hi, > > > >>> > > > >>> the attached patch provides a new python module "pyhbac" that implements > > > >>> python bindings for the HBAC evaluator library. > > > >>> > > > >>> The patch depends on Stephen's last patches which are on review as of > > > >>> now, but the test suite passed, so I think the bindings can be reviewed > > > >>> in parallel. > > > >>> > > > >>> "make check" loads the built python module from tree by doing some > > > >>> sys.path magic. If you'd like to experiment with the module yourself, > > > >>> you must either install it or set PYTHONPATH to $SSSD_BUILD_DIR/.libs > > > >>> > > > >>> > > > >> > > > >> btw when I started reading Stephen's patches I noticed that there is a > > > >> new subpackage libipa_hbac - the module should belong there. > > > >> > > > >> Also I left one FIXME in Makefile.am -- I'll fix these two issues with > > > >> any other that will come up during the review :-) > > > >> > > > > > > > > I've done enough changes so that the patch needs resending. I got rid of > > > > talloc in favor of Py_Malloc - it would be wasteful if just the bindings > > > > dragged in talloc and I places the module in libipa_hbac-python subpackage. > > > > > > > > > > And now with the patch attached. > > > > Another revision that reflects the recent changes is attached. > > > > The C evaluate() function passes the hbac_info structure on either success > > or failure as an output parameter. The python equivalent returns just > > an integer status code and sets a new HbacRequest attribute "rule_name" > > to the name of the rule that matched on success or to None in case of > > access denial or error. > > > Ack. Pushed to master.