[Freeipa-devel] Time-Based Account Policies

Fri Jul 10 14:17:06 UTC 2015

On 10/07/15 12:08, Stanislav Laznicka wrote:
> Hi,
>
> Long time no post from me, time to make it up to you.
>
> I have been working on the the implementation of the design of time 
> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the 
> current state of the FreeIPA solution. My comments and notes to the 
> solution follow.
>
> The FreeIPA side backend base for time policies in HBAC seems working 
> to me but still needs formal testing. Also, there is no conversion 
> from the iCal format as previously requested and I personally would 
> postpone this feature until the time policies functionality is rock 
> solid.
>
> There were some uncertainties in the design as well. I ran into 2 of 
> these but more may come.
>
> The first thing is how to deal with weeks in a month. There are two 
> possibilities. A week in month (as specified by the weekofmonth 
> keyword in the time policies) may be understood as a period of time 
> between two Sundays, so when a month starts on, say, Friday the 1st, 
> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything 
> from that Sunday on would be a weekofmonth=2 and on. However, I think 
> a week in a month may also be considered a period of time that equals 
> 7 days of a month. In the previous example, a weekofmonth=1 would 
> therefore also apply to the following days up until Friday the 8th, 
> excluding this last day. Although I implemented the first case in the 
> SSSD, I actually started thinking the second case scenario might be 
> the right or "better" one.
>
> The other thing is which years should be allowed to be the input of 
> the "year" keyword. Currently, I set the range for these values to 
> 1970-2038 according to the Unix timestamp. I'm not sure if anyone 
> would want to set it less than 1970, setting it for a higher value 
> than 2038 might probably make sense in some very special cases, 
> although I really can't think of a one.
>
> As for the WebUI, I am not really satisfied with the current state - 
> the time zone select button requires saving the rule before any 
> further setting on the page and the tables for setting the time rules 
> don't allow editing the rules, which gets annoying fast. The WebUI for 
> the time policies in HBAC was created for my Master's thesis purposes 
> in a hurry and I will probably need to discuss it some more with Petr 
> V. It works well for basic display and add/remove of the time rules, 
> though.
>
> So, that is what I do now, aside from SSSD functionality. Please, let 
> me know what your ideas are, especially about those weekofmonth and 
> year issues.
>
> Cheers,
> Stanislav Laznicka
>
>
Please revert this change, 'replaces' keyword is used only for legacy 
permission. Changes in new permissions are handled automatically by 
update plugin.

              'replaces': [
-                '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
+                '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
              ],


Martin

-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/851c3d4f/attachment.htm>