[Freeipa-devel] URI in HBAC - design page
Jan Pazdziora
jpazdziora at redhat.com
Thu Mar 24 09:43:35 UTC 2016
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
The document says
There is a new field in HBAC rule details for adding URI PCRE
as plain text.
We need an easy way for the user to enter multiple URLs for the same
rule. The primary case is obviously the http / https duality
http://www.example.com/
https://www.example.com/
but there might be other situations when additional service is being
deployed and it is supposed to use exactly the same rule as five
existing ones. In that case the user has to be able to just add
additional URL to existing HBAC rule, not be forced to create separate
new rule which will likely go out of sync from the previous ones when
they are edited.
In addition, there should be an easy way to see all HBAC rules for a
particular URL (and all sub-URLs) -- it should be possible to search
for
www.example.com
and see all the
http://www.example.com/ HBAC rule name 1
https://www.example.com/ HBAC rule name 1
http://www.example.com/auth/ HBAC rule name 2
https://www.example.com/auth/ HBAC rule name 2
http://www.example.com/auth/admin/ HBAC rule name 3
https://www.example.com/auth/admin/ HBAC rule name 3
ideally is some consise way if multiple URLs lead to the same rule
and changes between rules that differ:
http(s)://www.example.com/ HBAC rule name 1
http(s)://www.example.com/auth/ HBAC rule name 2
User group: core-employees
http(s)://www.example.com/auth/admin/ HBAC rule name 3
User group: network-admins
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list