[Freeipa-devel] URI in HBAC rules - patch - request for feedback

Mon Feb 29 10:40:45 UTC 2016

On 02/28/2016 11:39 AM, Jakub Hrozek wrote:
> On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote:
>> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
>>> On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
>>>> On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
>>>>> Hi, FreeIPA and SSSD communities!
>>>>>
>>>>> I am working on adding URI to HBAC as my thesis [1]. The goal is to
>>>>> control access not only based on (user, host, service), but on (user,
>>>>> host, service, resource's URI).
>>>>>
>>>>> I created a patch for FreeIPA [2] so it is capable of storing URI as
>>>>> part of HBAC rule. I created a patch for SSSD [3] so it is able to get
>>>>> this URI from FreeIPA and use it in HBAC evaluation.
>>>>>
>>>>> I still need to develop a part of SSSD receiving URI-aware requests. It
>>>>> will either be an enhancement of Infopipe or I will use PAM responder
>>>>> (any suggestions?).
>>>>>
>>>>> I wanted to kindly ask you for review and your opinions on the patches
>>>>> and generally on my approach. This would be my first contribution to
>>>>> FreeIPA and SSSD so there might be bugs. What do you think?
>>>>>
>>>>> Btw, is there some better place to share patches than a pasting tool?
>>>>> Maybe some form of pull request?
>>>>>
>>>>> Thanks for your opinions!
>>>>>
>>>>> [1]
>>>>> https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
>>>>> [2]
>>>>> http://pastebin.com/rsHzXeAR
>>>>> [3]
>>>>> http://pastebin.com/atcZMuP1
>>>>>
>>>>
>>>> Hi Lukas, could please post your patches here using git-format-patch or
>>>> even better provide a public git tree with them applied ?
>>>> (Any place github, fedorapeople, your own server, etc. is fine)
>>>>
>>>>
>>>> First a question, what service can actually use this scheme and how ?
>>>> there is no URL field in PAM.
>>>
>>> When Lukas started the work, we IIRC concluded that PAM is not an
>>> appropriate interface and we should probably expose some DBUS methods
>>> for access control. We haven't really discussed any details since then.
>>
>> This only shifts the question, what service would use this interface ?
>> note I am not opposed to it, but would like to understand how we are
>> going to test that it actually works and is useful.
> 
> I thought it was going to be an Apache module, much like Jan's
> mod_authnz_pam, so maybe something like mod_authnz_hbac.
> 

Exactly. It could have other uses, but an example I will be using will
be an Apache module. And really, the only functional difference between
mod_authnz_pam and the new module would be that the new module will be
URI-aware (so it will use either PAM or Infopipe to communicate with
SSSD and among other things, send URI, too) and it will probably be
authorization-only.

I am still not sure about the Infopipe vs PAM thing. I am trying to do
normal authorization as the PAM one, just add some URI parameter to the
request. I am still not sure whether it is a good idea to use a PAM
variable (URI is not a standard field but maybe PAM supports other than
standard variables?) or whether to add more functionality to Infopipe
and do not use PAM at all. That is probably my most important question
for now.

-- 
Lukas Hellebrandt
Associate Quality Engineer
lhellebr at redhat.com