search

canonical / hotsos

Software analysis toolkit. Define checks in high-level language and leverage library to perform analysis of common Cloud applications.
Apache License 2.0
30 stars 37 forks source link

scenario: check if "ldap_use_tokengroups" is enabled for ad domains #902

Closed mustafakemalgilor closed 1 week ago

mustafakemalgilor commented 3 weeks ago

added a new sssd plugin to retrieve a list of domains that ldapuse tokengroups is enabled for. added a new scenario to issue a warning when a sssd domain is using "ad" id provider and ldap_use_tokengroups is not explicitly disabled.

Fixes #890

dosaboy commented 3 weeks ago

I'd like to hear your thoughts in this but I feel that instead of creating a new plugin for "auth", this might fit better in the existing "system" plugin. My rationale for this is mainly that authentication in this context is really a function of the system and not the individual applications for which we have independent plugins. I also feel that regardless, the output of this new addition should appear immediately after (if not within) the "system:" output and currently it is going to be right at the and after "kernel:" at plugin_root_index 15. So at the very least we'd need to shift all plugin_root_index by one and put this new one at plugin_root_index 2 OR we just incorporate this into the system plugin. Thoughts?

mustafakemalgilor commented 2 weeks ago

I'd like to hear your thoughts in this but I feel that instead of creating a new plugin for "auth", this might fit better in the existing "system" plugin. My rationale for this is mainly that authentication in this context is really a function of the system and not the individual applications for which we have independent plugins. I also feel that regardless, the output of this new addition should appear immediately after (if not within) the "system:" output and currently it is going to be right at the and after "kernel:" at plugin_root_index 15. So at the very least we'd need to shift all plugin_root_index by one and put this new one at plugin_root_index 2 OR we just incorporate this into the system plugin. Thoughts?

I was unsure that sssd would fit into that category but since you've confirmed that "system" is intended to be used the way you've described, we can just put it there. I'll make the changes.

mustafakemalgilor commented 2 weeks ago

we just incorporate this into the system plugin

@dosaboy done