[Freeipa-devel] [DESIGN] Time-Based HBAC Policies
Alexander Bokovoy
abokovoy at redhat.com
Wed May 18 14:13:11 UTC 2016
On Wed, 18 May 2016, Stanislav Laznicka wrote:
>On 05/18/2016 02:19 PM, Alexander Bokovoy wrote:
>>On Wed, 18 May 2016, Stanislav Laznicka wrote:
>>>>>when removal succeeds but addition fails for some reason? The
>>>>>operation is not atomic anymore.
>>>>>
>>>>
>>>We offline-discussed this with Honza. There should be a new
>>>command `ipa hbacrule-replace-accesstime rule_name
>>>--orig-time=icalstr1 --new-time=icalstr2`. As it would be derived
>>>from LDAPQuery, the atomicity is kept. This may not be very nice
>>>for CLI but should work well for WebUI. Both icalstr1 and icalstr2
>>>need to be encoded as newlines that appear so often in iCalendar
>>>strings would only make a mess here.
>>>
>>>Example of use:
>>>
>>>ipa hbacrule-replace-accesstime rule_name
>>>--orig-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r\\nUID:1 at company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:20101115T050000Z\\r\\nDTEND:20101115T070000Z\\r\\nRRULE:FREQ=MONTHLY;INTERVAL=5;BYDAY=MO;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCALENDAR\\r\\n'"
>>>--new-time="'BEGIN:VCALENDAR\\r\\nPRODID:-//The Company//iCal4j 1.0//EN\\r\\nVERSION:2.0\\r\\nMETHOD:REQUEST\\r\\nBEGIN:VEVENT\\r\\nUID:1 at company.org\\r\\nDTSTAMP:20160406T112129Z\\r\\nDTSTART:20101115T050000Z\\r\\nDTEND:20101115T070000Z\\r\\nRRULE:FREQ=MONTHLY;INTERVAL=5;BYDAY=MO,TU;BYHOUR=5,6\\r\\nEND:VEVENT\\r\\nEND:VCALENDAR\\r\\n'"
>>>
>>>
>>>to add Tuesdays to the timespan defined by the rule.
>>I would really like to see a file input support here. It would be
>>simpler to operate in CLI as you would anyway create vCal files -- no
>>sane person is going to deal with these strings directly on the command
>>line.
>>
>That is correct and some basic file support is already in the patches
>I sent earlier, though replacing rules is not a part of it. However,
>it does not solve the problem as you would still need access to the
>files to work with the attributes and then change the files
>accordingly.
>
>However, we've had yet another brainstorm with Petr^2, Martin^2 and
>Honza. We really don't want the above so we came up with some ideas
>that I'm listing below. Note that we also do not want more than one
>VEVENT component in any of the time rules. So, the ideas:
> 1) Have the time rules as separate objects. This approach got most
>support here. Adding Simo and Jakub to CC should they have any input
>against this.
> 2) Have the time rules stored as strings in the multi-valued
>accesstime attribute at each rule. These would be referenced by their
>UID property of the VEVENT component of the iCalendar string (instead
>of that pure hell above). As each of the strings can only contain one
>VEVENT which has to define a UID, the only problem would be to keep
>the uniqueness of UIDs consistent.
>
>From my point of view, 1) seems rather better but your experience
>might be different. Don't hesitate to share your opinions, please.
I'm for time rules as separate objects too. Multi-valued accesstime
attributes would not work well because you cannot really address
attributes by UID.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list