New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Add an option to exclude sensitive attributes from the retro changelog DB #4701
Comments
This RFE will allow a user exclude attributes from the retro changelog db. After an add/delete/modify/modrdn operation an entry is added to the "cn=changelog" suffix, reflecting the operation. The changes for this issue will exclude specified attributes from the changelog entry, also the operation changestring will be modified to "hide" the excluded atributes. Here are two examples of a modify operation before and after this change: Before
Decoded changestring
After (With homePhone attribute excluded)
Decoded changestring
I'm currently looking into how these changes will impact syncrepl, I would appreciate any help with answering these questions:
NOTE: |
@jchapma , sync_repl uses the retrochangelog to detect any change on an entry and send it back to the sync_repl client if the entry matches the sync_repl filter. The RFE mentioned the ability to exclude attributes and it looks enough for me. obfuscating values can be more complex because you will need to set a value matching the attribute syntax. |
@tbordaz |
Description: When the retro changelog plugin is enabled it writes the added/modified values to the "cn-changelog" suffix. In some cases an entries attribute values can be of a sensitive nature and should be excluded. This RFE adds functionality that will allow an admin exclude certain attributes from the retro changelog DB. Relates: 389ds#4701 Reviewed by: mreynolds389, droideck (Thanks folks)
Description: When the retro changelog plugin is enabled it writes the added/modified values to the "cn-changelog" suffix. In some cases an entries attribute values can be of a sensitive nature and should be excluded. This RFE adds functionality that will allow an admin exclude certain attributes from the retro changelog DB. Relates: #4701 Reviewed by: mreynolds389, droideck (Thanks folks)
@jchapma is it okay to close it ? |
@jchapma This needs to be cherry picked down to 1.4.3 please |
Description: When the retro changelog plugin is enabled it writes the added/modified values to the "cn-changelog" suffix. In some cases an entries attribute values can be of a sensitive nature and should be excluded. This RFE adds functionality that will allow an admin exclude certain attributes from the retro changelog DB. Relates: 389ds#4701 Reviewed by: mreynolds389, droideck (Thanks folks)
…4746) Description: When the retro changelog plugin is enabled it writes the added/modified values to the "cn-changelog" suffix. In some cases an entries attribute values can be of a sensitive nature and should be excluded. This RFE adds functionality that will allow an admin exclude certain attributes from the retro changelog DB. Relates: #4701 Reviewed by: mreynolds389, droideck (Thanks folks)
Description: When the retro changelog plugin is enabled it writes the added/modified values to the "cn-changelog" suffix. In some cases an entries attribute values can be of a sensitive nature and should be excluded. This RFE adds functionality that will allow an admin exclude certain attributes from the retro changelog DB. Relates: #4701 Reviewed by: mreynolds389, droideck (Thanks folks)
This introduced a complier warning:
please fix... |
Description: An unused variable generates a compiler warning. Fix description: Remove unused variable. Modify CI test to restart the test instance instead of using dynamic plugins. Fixes: 389ds#4750 Relates: 389ds#4701 Reviewed by: jchapma (One line commit rule)
Description.
A user has requested functionality that will allow an admin exclude certain attributes from the retro changelog suffix.
Solution
Add an option that allows an admin exclude attributes from the retro changelog db:
These attributes will be added to the cn=Retro Changelog Plugin,cn=plugins,cn=config dn:
When the post op plugin is called the retrocl plugin will query the server for excluded attributes and exclude them from the retro changelog db. Similar to the exclude suffix functionality.
Additional context
https://bugzilla.redhat.com/show_bug.cgi?id=1850664
The text was updated successfully, but these errors were encountered: