[Freeipa-devel] Time-Based Account Policies

Stanislav Laznicka slaznick at redhat.com
Mon Aug 3 08:55:07 UTC 2015 

Hi,

I have made some changes to the structure of the HBAC time rules 
extension, namely the code that validates the time rules' strings was 
moved from the ipalib/parameters to the hbacrule module itself, and a 
more "fresh" approach was used in code for methods of adding/removing 
time policies to HBAC rules.

A slight change was made to understanding a week in a month. The change 
follows the Java implementation of a week in a month as suggested by 
Petr V., given a week starts on Monday (=1; iso 8601). More on that on 
the previously mentioned link

https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html

What this change means is that a first week in a month is a week that 
contains at least 4 days. If it has less days, it's 0-th week (probably 
better than having it belong to the previous month as some sources also 
suggest - iso 8601 does not have a definition for a week in month but it 
has a definition for a week in a year).

I had Jan C. check the current implementation of the FreeIPA side for 
the time-based policies and it seems to work as is. He created official 
number identifiers for the 2 new LDAP attributeTypes, too. \o/

I was also going through some old mockups for the WebUI Petr V. sent me 
earlier last month. It brought some questions worth sharing here.

1. Do we need time rules based on the day and week of the year? 
Currently, there is no such option as dayofyear or weekofyear in the 
rules language, although adding it should not be that much of a problem. 
I did not include them as it seemed more convenient to set the data as 
combinations of dayofmonth and monthofyear values.

2. Should we add dayofyear and weekofyear, a possible need for 
"intervals" might be required. An "interval" is a behavior from the 
iCalendar format. It basically functions as range() in Python, although 
with possible 'infinite' end. Example: should you have a recurrence rule 
on daily basis with interval=2, a rule would apply on every other day. 
This is kind of a question of keeping it easy and light or heading a way 
of robust implementation during which dragons may appear, although with 
a tiny tiny possibility of a golden treasure in the end.

3. The mockups for HBAC time policies show quite a wizard-like UI. While 
I might be very wrong here, I was thinking of rather a simple UI where 
user would be able to set the values for each of the rule keywords 
(timeofday, dayofweek, ...) directly in some text input fields with 
possible help of JavaScript, that would add text description to the user 
input (e.g. "Monday to Friday" with user input "1-5" at the dayofweek 
input field).

4. Do we want some special settings for "absolute" time policies 
(policies that start and end at certain time in year)? The issue now 
would be that some of such rules would have to be broken down in more 
than one time rule (e.g. rule starting at a certain time of a day in a 
month in one year and ending at a certain time, day and month of a 
different year might get broken down to up to 6 rules if I count right). 
This could actually be solved by a UI wizard-like setting where the user 
gets to pick the dates and times of the rule, a conversion method would 
need to be created and such a thing would then work for the CLI, too. 
Still, usually more than one time rule would be created for such cases.

Thanks for keeping up with me and my long emails. I am a terrible person 
for that and I hope I will be able to cut them short in the future.

Cheers,
Standa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0001-Added-time-based-policies-types-to-LDAP-schema.patch
Type: text/x-patch
Size: 3072 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/0d4429ae/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0002-Added-methods-for-setting-time-based-policies.patch
Type: text/x-patch
Size: 30759 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/0d4429ae/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0003-Created-basic-UI-for-setting-time-policies-at-HBAC-r.patch
Type: text/x-patch
Size: 17682 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150803/0d4429ae/attachment-0002.bin>

More information about the Freeipa-devel mailing list