[Freeipa-devel] [Update]Time-Based Account Policies

Martin Basti mbasti at redhat.com
Wed Nov 4 14:20:18 UTC 2015 


On 04.11.2015 13:46, Stanislav Laznicka wrote:
> Hi,
>
> The fixed patches to Martin^2's and Jakub's reviews are almost ready, 
> there are just a few things left. Martin B. mentioned in his review 
> that '~' might not be the best delimiter for range values in the HBAC 
> time policies language as it is not commonly used for that purpose. I 
> started using it when the negative values were introduced (instead of 
> '-').
>
> The question here is, then, which delimiter would you rather use for 
> ranges? Some choices are ':', '..', and, obviously, '~' but you are 
> free to come up with your own. The delimiters '-' and ',' are not 
> suitable as their use is different here. However small this might seem 
> to be, lets be rigorous here and design it properly.
>
> Also, with some time, I got uncertain about one thing with the 
> 'repeat' keyword. What behaviour would you expect when 'repeat' is on 
> yearly repetition and 'dayofweek' is the only other thing set? RFC5545 
> (iCal) says:
> "
> Information, not contained in the rule, necessary to determine the
> various recurrence instance start time and dates are derived from
> the Start Time ("DTSTART") component attribute.  For example,
> "FREQ=YEARLY;BYMONTH=1" doesn't specify a specific day within the
> month or a time.  This information would be the same as what is
> specified for "DTSTART".
> "
> and also in an example
>
> "... if the BYMINUTE, BYHOUR, BYDAY,
>  BYMONTHDAY, or BYMONTH rule part were missing, the appropriate
>  minute, hour, day, or month would have been retrieved from the
>  "DTSTART" property.",
>
> but an example with BYDAY alone set with a day of week without 
> numerical specifier is missing so it is not clear if this would apply 
> to all specified weekdays of a certain month or the whole year. 
> Currently, I am using only the months' weekdays.
>
> --
> Standa Láznička

Hello,

we (Standa and I) had offline discussion and I proposed following idea:

1) create new entry in LDAP for "time rule" instead of adding the time 
rule string directly into HBACRule.
This will allow to reuse time rules among various HBAC Rules (and maybe 
in future with sudo rules, etc.)
HBACrule gets only reference to time rule entry stored in LDAP db.

2) Do not create a new time format, just reuse iCal (parts of iCal we 
need), to store time rule in LDAP in "time rule" entry
(Or is possible to not store the values just as one string, we can use 
different attributes to store separate values, iCal can be used as 
export and import format)

3) We may provide nice CLI and webUI to construct/show "time rule", this 
may be more user friendly than just passing the string containing time 
data to HBAC rule.

Martin^2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151104/fb38196c/attachment.htm>

More information about the Freeipa-devel mailing list