[Freeipa-devel] [DESIGN] Time-Based HBAC Policies
Stanislav Laznicka
slaznick at redhat.com
Fri May 13 11:50:15 UTC 2016
Hello list,
We had a discussion today over integrating the Time Rules into the CLI
and WebUI and a problem came up with with the current solution. It seems
that while having templating handled by CoSTemplates might be nice in
terms of easy dereferencing on SSSD side (it's handled by the DS
itself), it's not really much possible to pick one string from the
multi-valued accesstime attribute of HBAC Rule object and modify it.
We were thinking of a solution discussed way earlier - having our own
time rule objects that could be referenced from each HBAC rule. That
way, any time rule could be modified easily. As the HBAC rules are
cached on the SSSD side periodically using the deref plugin, there
should be no problem of inconsistency with the server database.
The original reasoning pro and against the proposed solution could be
found on the pad
http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
be really nice to hear your opinions and ideas that could help us
overcome this problem.
Thank you,
Standa
More information about the Freeipa-devel
mailing list