[Freeipa-devel] URI in HBAC - design page
Lukáš Hellebrandt
lhellebr at redhat.com
Tue Mar 29 08:52:49 UTC 2016
On 03/24/2016 10:31 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> In the document, you say
>
> In all of them [ approaches ], I use only the part of URI
> after hostname as hostname and service are already matched
> as part of selecting HBAC rules to evaluate in terms of
> matching URI.
>
> This is not correct.
>
> The hostname of the machine may be
>
> cloud-123-567.example.com
>
> The service (principal) might be HTTP/cloud-123-567.example.com.
>
> The HBAC service (== PAM service) might be 'application', or 'httpd'.
>
> But the URL might be
>
> http://wiki.example.com/wiki
>
> or
>
> https://issues.example.com/
>
> or
>
> http://www.example.com:8080/
>
> Distinct applications and content, with completely distinct URLs,
> locations, and security requirements, hosted on the same machine and
> under the same HBAC service.
>
> The full URL needs to be taken into account. There can be situations
> like
>
> http:///wiki
>
> where the hostname is ommitted in the rule but it has to be an
> explicit decision of the user (admin) editing the rules, not something
> built into the mechanism.
>
Actually, admin can specify whatever he wants in URI attribute. The only
question here is what the application should send. So this is merely a
matter of the Apache module in my case.
--
Lukas Hellebrandt
Associate Quality Engineer
lhellebr at redhat.com
More information about the Freeipa-devel
mailing list