[Freeipa-devel] [Update]Time-Based Account Policies

Simo Sorce simo at redhat.com
Fri Nov 13 13:41:45 UTC 2015 

On 11/11/15 09:30, Martin Basti wrote:
>
>
> On 11.11.2015 14:52, Martin Basti wrote:
>> Comments inline
>> Martin^2
>>
>> On 11.11.2015 09:24, Stanislav Laznicka wrote:
>>> On 11/05/2015 06:17 PM, Petr Spacek wrote:
>>>> On 4.11.2015 15:20, Martin Basti wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> we (Standa and I) had offline discussion and I proposed following idea:
>>>>>
>>>>> 1) create new entry in LDAP for "time rule" instead of adding the time rule
>>>>> string directly into HBACRule.
>>>>> This will allow to reuse time rules among various HBAC Rules (and maybe in
>>>>> future with sudo rules, etc.)
>>>>> HBACrule gets only reference to time rule entry stored in LDAP db.
>>>> Good idea! I can see time rule entry 'working hours in Brno office' which is
>>>> linked to relevant HBAC rules.
>>> This seems like a good idea. However, it might be a bit messy to have
>>> even the least significant rules stored in separate objects. But I
>>> agree. It brings some questions, though.
>> Imo to have separate entry for time rule is cleaner than add it
>> directly to HBAC rule.

I really disagree, see below.

>>> Where would be a good spot to store these time rules?
>> As I originally thought that we can share time rules between HBAC,
>> SUDO and everything else, I couldn't be wrong more.
>>
>> Example: HBAC admin have permission to edit HBAC rule, but doesn't
>> have permission to edit SUDO rule. The HBAC admin should be able to
>> edit time rules for HBAC rules, and cannot be able to edit time rules
>> of SUDO rules. Thus time rules must be separated between HBAC, SUDO
>> and others, and privilege that give the permission to modify HBAC
>> rule, must give permission to modify only HBAC time rules.
>>
>> I suggest to add HBAC time rules to HBAC container.
> After IRC discussion with pspacek and jcholast:
>
> We should just create separated privileges to time rules and allow them
> to be shared.
> So they should be stored in new container in LDAP

I do not understand what this means.

And in general I am opposed to have a separate object on performance 
grounds (for clients) and also on the fact that is becomes tricky to 
keep objects in sync.

We then have to deal with cases where you delete a time object but an 
HBAC still references it and also assuring you have permissions to fully 
change an HBAC rule, you may end up in situations where you can change 
the HBAC rule for everything but the times (or vice versa).

So please, explain carefully what would require a separate time object.

On privileges alone I see no value in a separate privilege for time than 
for the HBAC object it applies to (preference for using the same 
object). I also see no technical reason to store the time rules for 
completely different stuff in the same tree.
Yes, there may be the odd case in which you want to have the same time 
rule for a sudo rule and an HBAC rule, we can make that easy in the 
interface by providing a "copy time rules from X" kind of interface.

Simo.



-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list