[Freeipa-devel] Time-based account policies
Martin Kosek
mkosek at redhat.com
Tue Mar 10 16:22:24 UTC 2015
On 03/10/2015 05:18 PM, Alexander Bokovoy wrote:
> On Tue, 10 Mar 2015, John Dennis wrote:
>> On 03/10/2015 11:06 AM, Jakub Hrozek wrote:
>>>> We may need to use libraries for processing iCal rules, like libical
>>>> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
>>>
>>> Is that what Alexander said, though? In his reply, I see:
>>> "Parsing event information would produce a rule definition we would
>>> store and SSSD would apply as HBAC rule".
>>>
>>> I don't think iCal dependency is something we want in SSSD, the
>>> rules should be converted from iCal to SSSD format in a layer atop
>>> libipa_hbac..
>>
>> But doesn't the iCal rule have to be evaluated in SSSD? If so that
>> requires linking against libical, right?
> That's why I'm saying we import iCal in IPA, not that we keep using iCal
> as internal representation of time/date information for HBAC rules.
>
> I don't really want to impose iCal horror on HBAC rule parsing engine.
> I believe we can do simpler and better, given HBAC is all about ALLOW
> rules on the base of default DENY action.
Ok, but how do you want to define rule as
"Allow Joe to log in every Monday, except holidays (when the office is closed)"?
We can't just have IPA processed the Ical and generate Allow ranges as there is
indefinite number of the allow ranges. So if you want to described more complex
rule (reocurring rule with some exceptions maybe), you end up with iCal anyway.
Or not?
More information about the Freeipa-devel
mailing list