[Freeipa-devel] Time-based account policies
Alexander Bokovoy
abokovoy at redhat.com
Tue Mar 10 14:45:39 UTC 2015
On Tue, 10 Mar 2015, Martin Kosek wrote:
>On 03/10/2015 03:34 PM, Alexander Bokovoy wrote:
>> On Tue, 10 Mar 2015, Simo Sorce wrote:
>>> On Tue, 2015-03-10 at 14:54 +0100, Martin Kosek wrote:
>>>> On 03/09/2015 09:05 PM, Nathaniel McCallum wrote:
>>>> > On Mon, 2015-03-09 at 22:02 +0200, Alexander Bokovoy wrote:
>>>> >> On Mon, 09 Mar 2015, Simo Sorce wrote:
>>>> ...
>>>> >>> For some tasks 'local' is the only thing that makes sense (your
>>>> >>> morning alarm clock), for other things 'UTC' is the only thing
>>>> >>> that make sense (coordinated changes across multiple distributed
>>>> >>> data centers).
>>>> >>>
>>>> >>> Implementing just one or the other is not useful.
>>>> >> Correct. At this point I think we are more or less in agreement that
>>>> >> we need to store time rules in UTC plus timezone correction
>>>> >> information specific to the execution context (HBAC rule, host,
>>>> >> etc). Handling 'UTC' rule is equivalent to selecting specific
>>>> >> timezone (GMT+0, for example) so this is a case of more general (UTC
>>>> >> time, timezone definiton) pairs.
>>>> >>
>>>> >> This timezone definition may have aliases forcing HBAC intepretation
>>>> >> to use local machine defaults if needed but the general scheme stays
>>>> >> the same.
>>>> >
>>>> > Agreed.
>>>>
>>>> Alexander, can you please elaborate a bit more on the idea of storing the time
>>>> rules in UTC + timezone correction? I thought SSSD would take take the time
>>>> zone information from the local system.
>>>>
>>>> The purpose is that admin can create rule like "Joe can interactively log in
>>>> from 8:00 to 17:00 on all machines across the globe". You cannot store the time
>>>> zone with such rule as the rule spans across several many different time zones.
>>>> Right?
>>>
>>> Yes this is a rule expressed in "Local Time" which is a time-zone-less
>>> rule.
>> Yep, and timezone info for this rule is "Local Time" which is a timezone
>> that doesn't exist in Olson database and would be interpreted by SSSD
>> as "default server timezone".
>
>I still do not understand.
>
>With Local Time HBAC rule, I thought that the time zone information/setting
>would only exist on the local machine. Maybe if you provide example of exact
>setting that would be stored in LDAP and what should be the implications on the
>clients in different time zones, I would understand better.
Instead of a single time point in UTC we would have a pair (time,
tzinfo) where tzinfo is just a timezone info from Olson database
(tzdata). 'time' element would be expressed in UTC.
We would use Olson database to find out available timezones. If tzinfo
is 'Local Time', we simply record it this way in LDAP record and then
SSSD on the client would parse it in such way that instead of forcing TZ
to the tzinfo string it would use default /etc/localtime on the host.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list