[Freeipa-devel] [Update]Time-Based Account Policies
Martin Basti
mbasti at redhat.com
Fri Nov 13 15:17:13 UTC 2015
On 13.11.2015 14:41, Simo Sorce wrote:
> On 11/11/15 09:30, Martin Basti wrote:
>>
>>
>> On 11.11.2015 14:52, Martin Basti wrote:
>>> Comments inline
>>> Martin^2
>>>
>>> On 11.11.2015 09:24, Stanislav Laznicka wrote:
>>>> On 11/05/2015 06:17 PM, Petr Spacek wrote:
>>>>> On 4.11.2015 15:20, Martin Basti wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> we (Standa and I) had offline discussion and I proposed following
>>>>>> idea:
>>>>>>
>>>>>> 1) create new entry in LDAP for "time rule" instead of adding the
>>>>>> time rule
>>>>>> string directly into HBACRule.
>>>>>> This will allow to reuse time rules among various HBAC Rules (and
>>>>>> maybe in
>>>>>> future with sudo rules, etc.)
>>>>>> HBACrule gets only reference to time rule entry stored in LDAP db.
>>>>> Good idea! I can see time rule entry 'working hours in Brno
>>>>> office' which is
>>>>> linked to relevant HBAC rules.
>>>> This seems like a good idea. However, it might be a bit messy to have
>>>> even the least significant rules stored in separate objects. But I
>>>> agree. It brings some questions, though.
>>> Imo to have separate entry for time rule is cleaner than add it
>>> directly to HBAC rule.
>
> I really disagree, see below.
>
>>>> Where would be a good spot to store these time rules?
>>> As I originally thought that we can share time rules between HBAC,
>>> SUDO and everything else, I couldn't be wrong more.
>>>
>>> Example: HBAC admin have permission to edit HBAC rule, but doesn't
>>> have permission to edit SUDO rule. The HBAC admin should be able to
>>> edit time rules for HBAC rules, and cannot be able to edit time rules
>>> of SUDO rules. Thus time rules must be separated between HBAC, SUDO
>>> and others, and privilege that give the permission to modify HBAC
>>> rule, must give permission to modify only HBAC time rules.
>>>
>>> I suggest to add HBAC time rules to HBAC container.
>> After IRC discussion with pspacek and jcholast:
>>
>> We should just create separated privileges to time rules and allow them
>> to be shared.
>> So they should be stored in new container in LDAP
>
> I do not understand what this means.
>
> And in general I am opposed to have a separate object on performance
> grounds (for clients) and also on the fact that is becomes tricky to
> keep objects in sync.
What exactly is the performance issue there? To download extra entry
from LDAP?
The SSSD do the same sync with users and groups, doesn't it?
>
> We then have to deal with cases where you delete a time object but an
> HBAC still references it and also assuring you have permissions to
> fully change an HBAC rule, you may end up in situations where you can
> change the HBAC rule for everything but the times (or vice versa).
IMO this should solve referint plugin if the time policy is removed,
then it will be removed from HBAC rules as well.
>
> So please, explain carefully what would require a separate time object.
>
> On privileges alone I see no value in a separate privilege for time
> than for the HBAC object it applies to (preference for using the same
> object). I also see no technical reason to store the time rules for
> completely different stuff in the same tree.
> Yes, there may be the odd case in which you want to have the same time
> rule for a sudo rule and an HBAC rule, we can make that easy in the
> interface by providing a "copy time rules from X" kind of interface.
My original suggestion was to have it separated, HBAC time policy under
HBAC container and sudo time policy under sudo container. So HBAC admin
will have access to the same subtree and the one can modify time policy
for HBAC. However pspacek and jcholast disagree I will let them to
explain the reasons.
Martin^2
>
> Simo.
>
>
>
More information about the Freeipa-devel
mailing list