search

canonical / hotsos

Software analysis toolkit. Define checks in high-level language and leverage library to perform analysis of common Cloud applications.
Apache License 2.0
33 stars 38 forks source link

scenario: check if "ldap_use_tokengroups" is enabled for ad domains #902

Closed xmkg closed 5 months ago

xmkg commented 5 months ago

added a new sssd plugin to retrieve a list of domains that ldapuse tokengroups is enabled for. added a new scenario to issue a warning when a sssd domain is using "ad" id provider and ldap_use_tokengroups is not explicitly disabled.

Fixes #890

dosaboy commented 5 months ago

I'd like to hear your thoughts in this but I feel that instead of creating a new plugin for "auth", this might fit better in the existing "system" plugin. My rationale for this is mainly that authentication in this context is really a function of the system and not the individual applications for which we have independent plugins. I also feel that regardless, the output of this new addition should appear immediately after (if not within) the "system:" output and currently it is going to be right at the and after "kernel:" at plugin_root_index 15. So at the very least we'd need to shift all plugin_root_index by one and put this new one at plugin_root_index 2 OR we just incorporate this into the system plugin. Thoughts?

xmkg commented 5 months ago

I'd like to hear your thoughts in this but I feel that instead of creating a new plugin for "auth", this might fit better in the existing "system" plugin. My rationale for this is mainly that authentication in this context is really a function of the system and not the individual applications for which we have independent plugins. I also feel that regardless, the output of this new addition should appear immediately after (if not within) the "system:" output and currently it is going to be right at the and after "kernel:" at plugin_root_index 15. So at the very least we'd need to shift all plugin_root_index by one and put this new one at plugin_root_index 2 OR we just incorporate this into the system plugin. Thoughts?

I was unsure that sssd would fit into that category but since you've confirmed that "system" is intended to be used the way you've described, we can just put it there. I'll make the changes.

xmkg commented 5 months ago

we just incorporate this into the system plugin

@dosaboy done