[Freeipa-devel] Time-Based Account Policies

Fri Jul 10 10:08:18 UTC 2015

Hi,

Long time no post from me, time to make it up to you.

I have been working on the the implementation of the design of time 
policies for HBAC rules on FreeIPA and SSSD sides. Attached is the 
current state of the FreeIPA solution. My comments and notes to the 
solution follow.

The FreeIPA side backend base for time policies in HBAC seems working to 
me but still needs formal testing. Also, there is no conversion from the 
iCal format as previously requested and I personally would postpone this 
feature until the time policies functionality is rock solid.

There were some uncertainties in the design as well. I ran into 2 of 
these but more may come.

The first thing is how to deal with weeks in a month. There are two 
possibilities. A week in month (as specified by the weekofmonth keyword 
in the time policies) may be understood as a period of time between two 
Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 
would specify days Friday, Saturday, Sunday and anything from that 
Sunday on would be a weekofmonth=2 and on. However, I think a week in a 
month may also be considered a period of time that equals 7 days of a 
month. In the previous example, a weekofmonth=1 would therefore also 
apply to the following days up until Friday the 8th, excluding this last 
day. Although I implemented the first case in the SSSD, I actually 
started thinking the second case scenario might be the right or "better" 
one.

The other thing is which years should be allowed to be the input of the 
"year" keyword. Currently, I set the range for these values to 1970-2038 
according to the Unix timestamp. I'm not sure if anyone would want to 
set it less than 1970, setting it for a higher value than 2038 might 
probably make sense in some very special cases, although I really can't 
think of a one.

As for the WebUI, I am not really satisfied with the current state - the 
time zone select button requires saving the rule before any further 
setting on the page and the tables for setting the time rules don't 
allow editing the rules, which gets annoying fast. The WebUI for the 
time policies in HBAC was created for my Master's thesis purposes in a 
hurry and I will probably need to discuss it some more with Petr V. It 
works well for basic display and add/remove of the time rules, though.

So, that is what I do now, aside from SSSD functionality. Please, let me 
know what your ideas are, especially about those weekofmonth and year 
issues.

Cheers,
Stanislav Laznicka
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-time-based-policies-types-to-LDAP-schema.patch
Type: text/x-patch
Size: 3033 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/7278967f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Prepared-parameters-for-HBAC-Rule-plugin-time-polici.patch
Type: text/x-patch
Size: 13194 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/7278967f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Added-methods-for-setting-time-based-policies-in-hba.patch
Type: text/x-patch
Size: 21938 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/7278967f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Created-basic-UI-for-setting-the-time-based-policies.patch
Type: text/x-patch
Size: 130585 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/7278967f/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Time-zone-select-styled-properly.patch
Type: text/x-patch
Size: 104188 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/7278967f/attachment-0004.bin>