[Freeipa-devel] URI in HBAC rules - patch - request for feedback
Jakub Hrozek
jhrozek at redhat.com
Sun Feb 28 10:39:35 UTC 2016
On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
> > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > > > Hi, FreeIPA and SSSD communities!
> > > >
> > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to
> > > > control access not only based on (user, host, service), but on (user,
> > > > host, service, resource's URI).
> > > >
> > > > I created a patch for FreeIPA [2] so it is capable of storing URI as
> > > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get
> > > > this URI from FreeIPA and use it in HBAC evaluation.
> > > >
> > > > I still need to develop a part of SSSD receiving URI-aware requests. It
> > > > will either be an enhancement of Infopipe or I will use PAM responder
> > > > (any suggestions?).
> > > >
> > > > I wanted to kindly ask you for review and your opinions on the patches
> > > > and generally on my approach. This would be my first contribution to
> > > > FreeIPA and SSSD so there might be bugs. What do you think?
> > > >
> > > > Btw, is there some better place to share patches than a pasting tool?
> > > > Maybe some form of pull request?
> > > >
> > > > Thanks for your opinions!
> > > >
> > > > [1]
> > > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
> > > > [2]
> > > > http://pastebin.com/rsHzXeAR
> > > > [3]
> > > > http://pastebin.com/atcZMuP1
> > > >
> > >
> > > Hi Lukas, could please post your patches here using git-format-patch or
> > > even better provide a public git tree with them applied ?
> > > (Any place github, fedorapeople, your own server, etc. is fine)
> > >
> > >
> > > First a question, what service can actually use this scheme and how ?
> > > there is no URL field in PAM.
> >
> > When Lukas started the work, we IIRC concluded that PAM is not an
> > appropriate interface and we should probably expose some DBUS methods
> > for access control. We haven't really discussed any details since then.
>
> This only shifts the question, what service would use this interface ?
> note I am not opposed to it, but would like to understand how we are
> going to test that it actually works and is useful.
I thought it was going to be an Apache module, much like Jan's
mod_authnz_pam, so maybe something like mod_authnz_hbac.
More information about the Freeipa-devel
mailing list