[Freeipa-devel] [Update]Time-Based Account Policies

Simo Sorce simo at redhat.com
Fri Nov 13 15:40:27 UTC 2015 

On 13/11/15 10:17, Martin Basti wrote:
>
>
> On 13.11.2015 14:41, Simo Sorce wrote:
>> On 11/11/15 09:30, Martin Basti wrote:
>>>
>>>
>>> On 11.11.2015 14:52, Martin Basti wrote:
>>>> Comments inline
>>>> Martin^2
>>>>
>>>> On 11.11.2015 09:24, Stanislav Laznicka wrote:
>>>>> On 11/05/2015 06:17 PM, Petr Spacek wrote:
>>>>>> On 4.11.2015 15:20, Martin Basti wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> we (Standa and I) had offline discussion and I proposed following
>>>>>>> idea:
>>>>>>>
>>>>>>> 1) create new entry in LDAP for "time rule" instead of adding the
>>>>>>> time rule
>>>>>>> string directly into HBACRule.
>>>>>>> This will allow to reuse time rules among various HBAC Rules (and
>>>>>>> maybe in
>>>>>>> future with sudo rules, etc.)
>>>>>>> HBACrule gets only reference to time rule entry stored in LDAP db.
>>>>>> Good idea! I can see time rule entry 'working hours in Brno
>>>>>> office' which is
>>>>>> linked to relevant HBAC rules.
>>>>> This seems like a good idea. However, it might be a bit messy to have
>>>>> even the least significant rules stored in separate objects. But I
>>>>> agree. It brings some questions, though.
>>>> Imo to have separate entry for time rule is cleaner than add it
>>>> directly to HBAC rule.
>>
>> I really disagree, see below.
>>
>>>>> Where would be a good spot to store these time rules?
>>>> As I originally thought that we can share time rules between HBAC,
>>>> SUDO and everything else, I couldn't be wrong more.
>>>>
>>>> Example: HBAC admin have permission to edit HBAC rule, but doesn't
>>>> have permission to edit SUDO rule. The HBAC admin should be able to
>>>> edit time rules for HBAC rules, and cannot be able to edit time rules
>>>> of SUDO rules. Thus time rules must be separated between HBAC, SUDO
>>>> and others, and privilege that give the permission to modify HBAC
>>>> rule, must give permission to modify only HBAC time rules.
>>>>
>>>> I suggest to add HBAC time rules to HBAC container.
>>> After IRC discussion with pspacek and jcholast:
>>>
>>> We should just create separated privileges to time rules and allow them
>>> to be shared.
>>> So they should be stored in new container in LDAP
>>
>> I do not understand what this means.
>>
>> And in general I am opposed to have a separate object on performance
>> grounds (for clients) and also on the fact that is becomes tricky to
>> keep objects in sync.
> What exactly is the performance issue there? To download extra entry
> from LDAP?

Yes because now you have to download rules, parse them, find out what 
needs tro be downloaded and pull it, or wore just download all time rules

> The SSSD do the same sync with users and groups, doesn't it?

No, by default we do not enumerate users and groups, and for HBAC rules 
we download only those that apply to the machine.

All this exactly to reduce the amount of time taken, and load on the server.

>>
>> We then have to deal with cases where you delete a time object but an
>> HBAC still references it and also assuring you have permissions to
>> fully change an HBAC rule, you may end up in situations where you can
>> change the HBAC rule for everything but the times (or vice versa).
> IMO this should solve referint plugin if the time policy is removed,
> then it will be removed from HBAC rules as well.

This is *not* ok though, you do not want an HBAC rule that limits users 
to a specific time to suddenly become "any time" because someone removed 
a time rule and didn't know it was referenced by multiple rules.
These are exactly the type of issues you end up having when you split 
the rule in multiple objects.

>>
>> So please, explain carefully what would require a separate time object.
>>
>> On privileges alone I see no value in a separate privilege for time
>> than for the HBAC object it applies to (preference for using the same
>> object). I also see no technical reason to store the time rules for
>> completely different stuff in the same tree.
>> Yes, there may be the odd case in which you want to have the same time
>> rule for a sudo rule and an HBAC rule, we can make that easy in the
>> interface by providing a "copy time rules from X" kind of interface.
> My original suggestion was to have it separated, HBAC time policy under
> HBAC container and sudo time policy under sudo container. So HBAC admin
> will have access to the same subtree and the one can modify time policy
> for HBAC. However pspacek and jcholast disagree I will let them to
> explain the reasons.

Seriopusly, the HBAC time policy should be (on the HBAC rule object) and 
I mean it as an additional object class with the policy embedded in the 
specific HBAC rule. This is more efficient and avoid issues like the one 
above.

Can you explain *why* you propose to have separate objects ? What's the 
rationale ? What are the failure modes ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list