[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
Petr Spacek
pspacek at redhat.com
Mon Aug 29 07:13:34 UTC 2016
On 26.8.2016 17:40, Simo Sorce wrote:
> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
>> Ie we could set both "allow" and "allow_with_time" on an object for
>> cases where the admin wants to enforce the time part only o newer
>> client
>> but otherwise apply the rule to any client.
>
> I notice that SSSD does not like it if there are multiple values on this
> attribute, but we could change this easily in older clients when we
> update them. worst case the rule will not apply and admins have to
> create 2 rules, one with allow and one with allow_with_time.
I like the idea in general but it needs proper design and detailed
specification first.
Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object
class with clear definition of "capabilities" (without any obsolete cruft).
That should be future proof and without any negative impact to existing clients.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list