[Freeipa-devel] URI in HBAC rules - patch - request for feedback
Jakub Hrozek
jhrozek at redhat.com
Fri Feb 26 16:17:48 UTC 2016
On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > Hi, FreeIPA and SSSD communities!
> >
> > I am working on adding URI to HBAC as my thesis [1]. The goal is to
> > control access not only based on (user, host, service), but on (user,
> > host, service, resource's URI).
> >
> > I created a patch for FreeIPA [2] so it is capable of storing URI as
> > part of HBAC rule. I created a patch for SSSD [3] so it is able to get
> > this URI from FreeIPA and use it in HBAC evaluation.
> >
> > I still need to develop a part of SSSD receiving URI-aware requests. It
> > will either be an enhancement of Infopipe or I will use PAM responder
> > (any suggestions?).
> >
> > I wanted to kindly ask you for review and your opinions on the patches
> > and generally on my approach. This would be my first contribution to
> > FreeIPA and SSSD so there might be bugs. What do you think?
> >
> > Btw, is there some better place to share patches than a pasting tool?
> > Maybe some form of pull request?
> >
> > Thanks for your opinions!
> >
> > [1]
> > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
> > [2]
> > http://pastebin.com/rsHzXeAR
> > [3]
> > http://pastebin.com/atcZMuP1
> >
>
> Hi Lukas, could please post your patches here using git-format-patch or
> even better provide a public git tree with them applied ?
> (Any place github, fedorapeople, your own server, etc. is fine)
>
>
> First a question, what service can actually use this scheme and how ?
> there is no URL field in PAM.
When Lukas started the work, we IIRC concluded that PAM is not an
appropriate interface and we should probably expose some DBUS methods
for access control. We haven't really discussed any details since then.
More information about the Freeipa-devel
mailing list