[Freeipa-devel] [Update]Time-Based Account Policies

Fri Nov 13 17:49:36 UTC 2015

On Fri, Nov 13, 2015 at 10:40:27AM -0500, Simo Sorce wrote:
> On 13/11/15 10:17, Martin Basti wrote:
> >
> >
> >On 13.11.2015 14:41, Simo Sorce wrote:
> >>On 11/11/15 09:30, Martin Basti wrote:
> >>>
> >>>
> >>>On 11.11.2015 14:52, Martin Basti wrote:
> >>>>Comments inline
> >>>>Martin^2
> >>>>
> >>>>On 11.11.2015 09:24, Stanislav Laznicka wrote:
> >>>>>On 11/05/2015 06:17 PM, Petr Spacek wrote:
> >>>>>>On 4.11.2015 15:20, Martin Basti wrote:
> >>>>>>
> >>>>>>>Hello,
> >>>>>>>
> >>>>>>>we (Standa and I) had offline discussion and I proposed following
> >>>>>>>idea:
> >>>>>>>
> >>>>>>>1) create new entry in LDAP for "time rule" instead of adding the
> >>>>>>>time rule
> >>>>>>>string directly into HBACRule.
> >>>>>>>This will allow to reuse time rules among various HBAC Rules (and
> >>>>>>>maybe in
> >>>>>>>future with sudo rules, etc.)
> >>>>>>>HBACrule gets only reference to time rule entry stored in LDAP db.
> >>>>>>Good idea! I can see time rule entry 'working hours in Brno
> >>>>>>office' which is
> >>>>>>linked to relevant HBAC rules.
> >>>>>This seems like a good idea. However, it might be a bit messy to have
> >>>>>even the least significant rules stored in separate objects. But I
> >>>>>agree. It brings some questions, though.
> >>>>Imo to have separate entry for time rule is cleaner than add it
> >>>>directly to HBAC rule.
> >>
> >>I really disagree, see below.
> >>
> >>>>>Where would be a good spot to store these time rules?
> >>>>As I originally thought that we can share time rules between HBAC,
> >>>>SUDO and everything else, I couldn't be wrong more.
> >>>>
> >>>>Example: HBAC admin have permission to edit HBAC rule, but doesn't
> >>>>have permission to edit SUDO rule. The HBAC admin should be able to
> >>>>edit time rules for HBAC rules, and cannot be able to edit time rules
> >>>>of SUDO rules. Thus time rules must be separated between HBAC, SUDO
> >>>>and others, and privilege that give the permission to modify HBAC
> >>>>rule, must give permission to modify only HBAC time rules.
> >>>>
> >>>>I suggest to add HBAC time rules to HBAC container.
> >>>After IRC discussion with pspacek and jcholast:
> >>>
> >>>We should just create separated privileges to time rules and allow them
> >>>to be shared.
> >>>So they should be stored in new container in LDAP
> >>
> >>I do not understand what this means.
> >>
> >>And in general I am opposed to have a separate object on performance
> >>grounds (for clients) and also on the fact that is becomes tricky to
> >>keep objects in sync.
    ~~~~~~~~~~~~~~~~~~~
I think this is even more important than performance.

> >What exactly is the performance issue there? To download extra entry
> >from LDAP?
> 
> Yes because now you have to download rules, parse them, find out what needs
> tro be downloaded and pull it, or wore just download all time rules

Yes, if each rule referenced a timerule, then we would have to do
something like:
    for rule in all_rules_for_this_host:
        dereference_attribute(rule_time_attr)

We'd probably just end up fetching all timerules and establishing the
relationship locally (which takes up computing time on the client).

> 
> >The SSSD do the same sync with users and groups, doesn't it?
> 
> No, by default we do not enumerate users and groups, and for HBAC rules we
> download only those that apply to the machine.
> 
> All this exactly to reduce the amount of time taken, and load on the server.

Right, we try to reduce the number of round-trips, but also the number
of separate objects we save to the cache and we try to avoid complex
logic to link objects to one another.

tl;dr - I agree with Simo.