[Freeipa-devel] Time-Based Account Policies - Feature Proposal

Stanislav Láznička slaz at seznam.cz
Wed Apr 15 14:07:39 UTC 2015 

Hi,

I have prepared a feature proposal for the wiki. I followed the Feature 
Proposal Template and the chapter "How to Test" is currently missing so 
it might rather be considered a draft. Please, see it, I hope it's alright.

The text:

Overview
FreeIPA is currently missing any temporal settings in the HBAC rules. 
However, handling access to a host in repeating time periods might be a 
desirable feature. The administrator of a certain environment should be 
able to set the time a host should be accessed in either the host local 
time, a certain time zone time or in UTC. Host-local-time policies would 
allow to adapt the time a host can be accessed to the host's movement 
along different time zones. A time bound to a certain time zone is more 
transparent than local time as it doesn't change with the host 
traveling. Sometimes, it may also be important to set time in UTC. This 
is rather strict setting that does not reflect daylight saving time.

Use Cases
1. A host is changing position on the globe quite often and needs to be 
accessed at certain times reflecting its current time zone.
2. A host should only be accessed at certain times given by a certain 
time zone. This access is repeated in a way, such as three times a week 
the same time except for once a year where there's regular maintenance.

Design
The time based account policies are an extension to the current (April 
2015) HBAC plugin. It assumes the time through the system is well set on 
all host stations via the NTP.

Time Scenarios
This extension is designed so that it understands time in three 
different views. These are: host local time, time at a certain time 
zone, and UTC.

Host Local Time
Host local time approach is meant for those hosts that are most likely 
to move across different time zones and for some reason it's important 
that the time they can be accessed reflects their current position. This 
helps creating only a single HBAC rule instead of multiple when only 
time zone or UTC rules would apply. The time of a host is counted using 
the /etc/timezone information of the certain host. Testing of such rule 
requires the tester to specify a certain time zone the rule would be 
tested against.
It's important to note that this type of policy may bring some 
unexpected behavior as hosts move across the globe, or even in a single 
hostgroup, when there're hosts from multiple timezones, and 
administrator should be very sure they want to use this.

Time Zones
In this approach, the time is thought of as of a time at a certain time 
zone. This might be interesting when the time settings should reflect a 
certain time zone, eg. the host or the users connecting to it are to be 
found in that certain time zone. The time zone offset to count the time 
of access is taken from the Olson database. Therefore, even daylight 
saving time is taken into account.

UTC
Sometimes the rules should apply for a certain time that is the same for 
the whole globe throughout the year. That's why UTC should also be 
supported.

Time Policies Storage
The time policies should be stored with each the HBAC rule that applies 
such a policy. This extension is designed so that the LDAP schema does 
not have to be changed.

The time policies are stored in the accessTime attribute of the HBAC 
rule object. The policy is a string in a form of tuple: (anchor, time). 
In this tuple, the anchor is one of "host", "utc" or Olson database time 
zone name, such as "Europe/Prague". The meaning of the anchor follows 
the time scenarios from this design. The time part of the policy tuple 
is the time range of the policy.

The language of the time half of the time policy tuple is inspired by 
the time part of Bind Rules of 389 Directory Server. Aside from the Bind 
Rules keywords timeofday and dayofweek, it adds keywords dayofmonth, 
weekofmonth, monthofyear and year. There are three operators: assignment 
("="), range ("-") and union(","). Assignment operator is used after 
each of the keywords above to specify the value of the certain keyword. 
Range operator may be used for setting ranges of hours, days, months 
etc. The final range includes both boundaries of the range set. A union 
operator is used when the keyword should contain a union of values 
rather than a range. Also, it can be used to make a union of ranges.

Possible values of each keyword:
timeofday       0000-2359
dayofweek       Mon, Tue, Wed, Thu, Fri, Sat, Sun
dayofmonth      1-31
weekofmonth     1-5
monthofyear     Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec
year            a year

Example:
(host, timeofday="0800-1200, 1230-1600" dayofweek="Mon-Thu, Sat")

Similarly to Bind Rules, it is possible to write an time policy as a 
longer expression using the "and" and "or" logical operators. In this 
case, each of separate block of the policy should appear in parentheses. 
It is also possible to add time exceptions for the policy. That's 
performed using the except() block that should appear only once in the 
time policy and should enclose all possible time exceptions for the policy.

Example:

((timeofday="0800-1600" dayofweek="Mon-Wed") or (timeofday="1600-2400" 
dayofweek="Wed-Thu")) except (dayofmonth="4" monthofyear="July")

Feature Management
UI
The UI of HBAC rules should now include new bar for adding time 
policies, similar to the user, host and service bars. Rather than "Any 
time" and time specified, there should be options "Any time", "UTC", 
"Host-local time" and "Specified timezone" with a timezone specification 
tool (similar to the one in GNOME/Date & Time Settings). User should be 
able to add more time policies for an HBAC rule to have similar behavior 
to the one with adding users, services and hosts. Between these multiple 
policies would be logical OR relation.

A view of adding a policy should contain a text array for the time 
policy string. At the top of this array, there should be a hint 
explaining the policy syntax. The format of the time policy should be 
checked upon time policy submit button press.

CLI
Time policies at CLI would be set in a similar manner as in the UI. 
Administrator needs to specify how the time should be understood 
("host", "utc", Olson's timezone name) and the time of access according 
to the syntax described above:

ipa hbac-set-accesstime-anchor anchor
ipa hbac-add-accesstime timeipa hbac-remove-accesstime num

When using CLI for access time setting, the default anchor should 
probably be UTC, setting anchor with each new time policy might get 
confusing as the anchor should change with all the policies for that 
certain HBAC rule. When removing a time policy, it makes sense to rather 
remove it by the list position of the policy among other policies.

More information about the Freeipa-devel mailing list