[Freeipa-devel] [DESIGN] Time-Based HBAC Policies
Stanislav Laznicka
slaznick at redhat.com
Wed May 18 06:25:40 UTC 2016
On 05/17/2016 12:40 PM, Petr Spacek wrote:
> On 13.5.2016 13:50, Stanislav Laznicka wrote:
>> Hello list,
>>
>> We had a discussion today over integrating the Time Rules into the CLI and
>> WebUI and a problem came up with with the current solution. It seems that
>> while having templating handled by CoSTemplates might be nice in terms of easy
>> dereferencing on SSSD side (it's handled by the DS itself), it's not really
>> much possible to pick one string from the multi-valued accesstime attribute of
>> HBAC Rule object and modify it.
> Could you be more specific?
>
> AFAIK LDAP protocol allows this. Where is the problem?
>
> Petr^2 Spacek
I should have added we're talking CLI and WebUI here.
Imagine you have 5 values of the accesstime attribute, each one is about
10 lines of iCal string, and want to change one:
ipa hbacrule-mod-accesstime rule_name --time=???
>
>> We were thinking of a solution discussed way earlier - having our own time
>> rule objects that could be referenced from each HBAC rule. That way, any time
>> rule could be modified easily. As the HBAC rules are cached on the SSSD side
>> periodically using the deref plugin, there should be no problem of
>> inconsistency with the server database.
>>
>> The original reasoning pro and against the proposed solution could be found on
>> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
>> be really nice to hear your opinions and ideas that could help us overcome
>> this problem.
>>
>> Thank you,
>> Standa
More information about the Freeipa-devel
mailing list