[Freeipa-devel] [WIP] Time-Based HBAC Policies
Stanislav Laznicka
slaznick at redhat.com
Fri Mar 4 14:39:33 UTC 2016
Based on Alexander's suggestion I created a copr repo with latest
python-icalendar version.
https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/
On 03/04/2016 02:53 PM, Stanislav Laznicka wrote:
> Hello,
>
> So in the previous month and a bit I was reworking the time-based
> policies according to the changes we agreed on
> (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line
> 83). Let me briefly walk you through what was done (no TLDR, sorry,
> but split the text in chapters):
>
> *Time rule templates*
> In the attachment is the proposal how this could be done using
> costemplates. Currently, the time rule templates have their own
> directory in the realm tree. The idea is that it could be used for
> both HBAC and Sudo rules so it needs to be in a location both should
> be able to reach. Should we not want them used in Sudo rules, the
> template directory could be moved to HBAC directory. There are also
> some new permissions for accessing these time rule templates which may
> need to be revised if the templates should be used both for sudo and
> HBAC rules.
>
> *iCalendar format validation
> *So there is an iCalendar string validation now. During its creation,
> I came across several issues with python-icalendar which is basically
> why it took me so long to write the validation. I made several fixes
> to the python-icalendar library, most of them are already merged in
> the repository master (https://github.com/collective/icalendar), one
> should be pushed in the next library major release.
>
> My pull requests:
> https://github.com/collective/icalendar/pull/175
> https://github.com/collective/icalendar/pull/179
> https://github.com/collective/icalendar/pull/180
> https://github.com/collective/icalendar/pull/183
> https://github.com/collective/icalendar/pull/189
>
> I still have one fix in the making, that one should force the strong
> types in iCalendar as these are also missing in python-icalendar but
> required by the RFC.
>
> Also, obviously, if you want to try the patches, you will need the
> current python-icalendar implementation from Github. I haven't put
> python-icalendar dependency into the .spec file yet for this reason.
> *
> **Summary
> *We are now able to import iCalendar strings from files and more or
> less be sure that the parts we need will be consistent with the RFC
> 5545 (basically, we are only checking that VEVENT components are
> correct, to bring strict checking to python-icalendar would take some
> time and I believe I spent way too much time with it already (there is
> an issue on their github page, though, it's 4 years old)).
>
> *TODO now
> *0)**Update the design*
> *1a) The hbacrule-*-accesstime should probably be split into 2
> commands, one that reads iCalendar strings from files, and one that
> creates those strings from "some kind of user input" (similarly for
> timeruletemplates).
> 1b) Create the format of user input we could expect for the second
> kind of command from 1a). We need to be able to convert it to
> iCalendar string and back so that we are able to present the data
> stored on the server in human readable form.
> http://jkbrzt.github.io/rrule/ NL part might be of help although it
> aims mostly on RRULE property of VEVENT components, whereas we may
> want to use DTEND, EXDATE, RDATE and DURATION as well to be able to
> specify events more properly.
> 2) Represent the HBAC time rules on SSSD side. I already have a
> skeleton of this based on libical
> (https://github.com/libical/libical), which hopefully seems to be more
> viable than python-icalendar. I do not mean to do the validation of
> received iCalendar string on the SSSD side anymore (at least not in an
> excessive way), just get the required properties from VEVENT
> components and evaluate them accordingly.
>
> *Discuss
> *I would really appreciate your input on these topics:*
> *1)**How to represent the iCalendar strings on the client side in CLI
> (while thinking about WebUI as well)?
> 2a) Do we want to use the time rules for Sudo rules as well?
> 2b) If 2a), is the proposed location of time rule templates along with
> the privileges ok?
>
> Standa
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160304/a92c20f7/attachment.htm>
More information about the Freeipa-devel
mailing list