On 10/06/2014 10:33 AM, Jan Cholasta wrote: > Dne 3.10.2014 v 17:02 Martin Kosek napsal(a): >> On 10/03/2014 04:59 PM, Jan Cholasta wrote: >>> Dne 3.10.2014 v 16:47 Petr Vobornik napsal(a): >>>> On 3.10.2014 16:24, Martin Kosek wrote: >>>>> NACK. I will not comment on mechanics, if you get an ACK from Honza, it >>>>> is good enough. I just do not like the API. It is hard to guess what >>>>> "host-add-retrieve-keytab" means. That word does not even make much >>>>> sense. >>>>> >>>>> Can we use something more readable? For example: >>>>> >>>>> ipa host-add-allowed-operation HOSTNAME --operation read_keys >>>>> --users=STR --groups STR >>>>> ipa host-add-allowed-operation HOSTNAME --operation write_keys >>>>> --users=STR --groups STR >>>>> >>>>> and >>>>> >>>>> ipa host-remove-allowed-operation HOSTNAME --operation read_keys >>>>> --users=STR --groups STR >>>>> ipa host-remove-allowed-operation HOSTNAME --operation write_keys >>>>> --users=STR --groups STR >>>>> >>>>> Same with services. At least to me, it looks more readable. >>>>> >>>>> Thanks, >>>>> Martin >>>>> >>>> >>>> Seems to me as adding of allowed operation. Not allowing an operation. >>> >>> +1 >>> >>>> >>>> What about: >>>> >>>> ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR >>>> ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR >>>> ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR >>>> ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR >>> >>> I like these the best. Maybe with a -to or -by suffix. >>> >>>> >>>> or if we expect more operations in a future: >>>> >>>> ipa host-allow-operation HOSTNAME --operation read-keys --users=STR >>>> --groups STR >>>> ipa host-disallow-operation HOSTNAME --operation read-keys --users=STR >>>> --groups STR >>>> ipa host-allow-operation HOSTNAME --operation write-keys --users=STR >>>> --groups STR >>>> ipa host-disallow-operation HOSTNAME --operation write-keys --users=STR >>>> --groups STR >>>> >>>> or if we want to keep 'add' and 'remove' in command names: >>>> >>>> ipa host-add-retrieve-keytab-right HOSTNAME --users=STR --groups=STR >>>> ipa host-add-create-keytab-right HOSTNAME --users=STR --groups=STR >>>> ipa host-remove-retrieve-keytab-right HOSTNAME --users=STR --groups=STR >>>> ipa host-remove-create-keytab-right HOSTNAME --users=STR --groups=STR >>>> >>>> >>>> personally I'm not a fan o the --operation switch, but could be >>>> persuaded by a 'future' usage. >>> >>> Not a fan either, because it is not consistent with the rest of the >>> framework. >>> Also, non-optional options are not really options. >> >> Right. Though mandatory options is a concept already existing in FreeIPA >> framework in many places. > > That does not make it right.
Right :-) >> What I see as a deal breaker is that with >> --operation switch, we are ready for dozens of potential future >> operations. With operation hardcoded in command name, we are not. > > I don't see dozens of operations coming in the near future, there's no need > for > a premature optimization like this. My point was that it will be difficult to switch from having per-operation commands to one general command for all operations later, however far the future is. Given there is no clear agreement on the API (ipa host-allow-operation vs. host-allow-read-keytab+host-allow-write-keytab) yet, I would like to ask Rob or Simo for their opinion/vote here too so that we can select an approach and go with it. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
