[Freeipa-devel] Time-Based Account Policies

Alexander Bokovoy abokovoy at redhat.com
Mon Aug 3 09:45:34 UTC 2015 

On Mon, 03 Aug 2015, Stanislav Laznicka wrote:
>Hi,
>
>I have made some changes to the structure of the HBAC time rules 
>extension, namely the code that validates the time rules' strings was 
>moved from the ipalib/parameters to the hbacrule module itself, and a 
>more "fresh" approach was used in code for methods of adding/removing 
>time policies to HBAC rules.
Thanks for the advances. :)

>A slight change was made to understanding a week in a month. The 
>change follows the Java implementation of a week in a month as 
>suggested by Petr V., given a week starts on Monday (=1; iso 8601). 
>More on that on the previously mentioned link
>
>https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html
>
>What this change means is that a first week in a month is a week that 
>contains at least 4 days. If it has less days, it's 0-th week 
>(probably better than having it belong to the previous month as some 
>sources also suggest - iso 8601 does not have a definition for a week 
>in month but it has a definition for a week in a year).
Sounds fine.

>I had Jan C. check the current implementation of the FreeIPA side for 
>the time-based policies and it seems to work as is. He created 
>official number identifiers for the 2 new LDAP attributeTypes, too. 
>\o/
>
>I was also going through some old mockups for the WebUI Petr V. sent 
>me earlier last month. It brought some questions worth sharing here.
>
>1. Do we need time rules based on the day and week of the year? 
>Currently, there is no such option as dayofyear or weekofyear in the 
>rules language, although adding it should not be that much of a 
>problem. I did not include them as it seemed more convenient to set 
>the data as combinations of dayofmonth and monthofyear values.
In business circles it is increasingly common to refer to events by
their week numbers, especially in logistics and factory delivery.

See http://www.cl.cam.ac.uk/~mgk25/iso-time.html for some details at the
end of 'Date' section.


>2. Should we add dayofyear and weekofyear, a possible need for 
>"intervals" might be required. An "interval" is a behavior from the 
>iCalendar format. It basically functions as range() in Python, 
>although with possible 'infinite' end. Example: should you have a 
>recurrence rule on daily basis with interval=2, a rule would apply on 
>every other day. This is kind of a question of keeping it easy and 
>light or heading a way of robust implementation during which dragons 
>may appear, although with a tiny tiny possibility of a golden treasure 
>in the end.
Yes, I think intervals are required.

>3. The mockups for HBAC time policies show quite a wizard-like UI. 
>While I might be very wrong here, I was thinking of rather a simple UI 
>where user would be able to set the values for each of the rule 
>keywords (timeofday, dayofweek, ...) directly in some text input 
>fields with possible help of JavaScript, that would add text 
>description to the user input (e.g. "Monday to Friday" with user input 
>"1-5" at the dayofweek input field).
With JavaScript support your wizard-like approach would still work
within the same page -- instead of moving 'next', you would need to
modify a number of available input fields based on selected items.
That's possible and I don't see much of trouble with it.

>4. Do we want some special settings for "absolute" time policies 
>(policies that start and end at certain time in year)? The issue now 
>would be that some of such rules would have to be broken down in more 
>than one time rule (e.g. rule starting at a certain time of a day in a 
>month in one year and ending at a certain time, day and month of a 
>different year might get broken down to up to 6 rules if I count 
>right). This could actually be solved by a UI wizard-like setting 
>where the user gets to pick the dates and times of the rule, a 
>conversion method would need to be created and such a thing would then 
>work for the CLI, too. Still, usually more than one time rule would be 
>created for such cases.
Same here.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list