[krbdev.mit.edu #9120] profile final flag limitations
Greg Hudson via RT
rt-comment at kerborg-prod-app-1.mit.edu
Fri Apr 12 16:57:12 EDT 2024
Fri Apr 12 16:57:12 2024: Request 9120 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: profile final flag limitations
Owner: Nobody
Requestors: ghudson at mit.edu
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9120 >
The profile library supports setting the final flag on a node by placing a "*"
character after the tag part of an assignment or after a close bracket (for a
section) or a brace (for a subsection). The general idea is to ignore further
assignments to the section, subsection, or relation. There are two important
limitations of the final flag implementation which render it minimally useful:
1. It is only checked when deciding whether to proceed from one file data
object to the next during node iteration. It does not suppress further
assignments within the same profile file, or within files included via
"include" or "includedir" directives.
2. Although there is support for setting the flag on relations, it has no
effect there; it only works on sections and subsections.
Additionally, there is no way to set the final flag via the profile write APIs
(profile_add_relation() etc.), only via parsing. This may not matter in some
ideal interpretations of the profile model, as write operations could be
taken to apply strictly post-parsing. It does matter if profile writes
continue to affect only the first file in a multi-file profile, or if we add
the ability to compose profiles.
More information about the krb5-bugs
mailing list