[Freeipa-devel] Time-based account policies

Simo Sorce ssorce at redhat.com
Thu Mar 26 16:06:03 UTC 2015 

On Thu, 2015-03-26 at 16:47 +0100, Martin Kosek wrote:
> On 03/26/2015 04:39 PM, Simo Sorce wrote:
> > On Thu, 2015-03-26 at 16:35 +0100, Martin Kosek wrote:
> >> On 03/26/2015 04:26 PM, Jan Cholasta wrote:
> > 
> > [...]
> >>> I don't see any point in storing time zone in the host object, if it's not used
> >>> for anything meaningful and has to be manually synchronized with the host's
> >>> actual configured time zone.
> >>
> >> It would be mostly used for aiding the HBAC rule creation process, i.e. for the
> >> UX. It would be optional. If you do not fill it, you would have to always
> >> select the right time zone in when setting the UTC HBAC time,
> >>
> >> If you fill the zone, UI could already select the right time zone for you.
> > 
> > 
> > It will only help to do mistakes, how does the host object get to know
> > what is the host's timezone ? And in any case you generally create HBAC
> > rules using groups of hosts, what is the UI gonna do ? Crawl all the
> > hosts in a group and then ? Average add the most common time zone ?
> 
> Search hosts, gather all time zones and list them as choices or simply warn
> that there are more time zones and Local Time based rule is preferred? :-)
> 
> > Drop it please :)
> 
> If there is no one interested in it, we can drop it. Such UX improvement can
> also be added later, if there is a need.
> 
> > 
> >> Host's Local Time and UTC time are 2 different approaches how to set the time
> >> for the HBAC rule. With Local Time type, you would of course not have to deal
> >> with time zones. I thought this was already cleared out.
> > 
> > Sorry you confuse me, in which case do you need UTC ?
> > In case you want to set an absolute time  that doesn't change with DST ?
> 
> I am confused as well. Wasn't it you who expressed the need to have 2 different
> approaches for HBAC time rules - Local Time and fixed UTC time?

Not really, Olson is correct.

> Reference:
> http://www.redhat.com/archives/freeipa-devel/2015-March/msg00158.html

I see how the language I sued may be confusing. But I was pointing out
only that you can't just do one or the other you have to support all
these cases, I wasn't advocating using UTC as the "timezoned" option.

If I should choose I would support all three flavors:
- the special "Local Time" string
- the Olson database (Europe/Rome)
- absolute UTC offsets (UTC+4)

However I would not publicize the latter much in the UI, as it is rarely
what the admin really should do.

Simo.

More information about the Freeipa-devel mailing list