[Freeipa-devel] Time-Based Account Policies
Martin Basti
mbasti at redhat.com
Fri Jul 10 14:17:06 UTC 2015
On 10/07/15 12:08, Stanislav Laznicka wrote:
> Hi,
>
> Long time no post from me, time to make it up to you.
>
> I have been working on the the implementation of the design of time
> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the
> current state of the FreeIPA solution. My comments and notes to the
> solution follow.
>
> The FreeIPA side backend base for time policies in HBAC seems working
> to me but still needs formal testing. Also, there is no conversion
> from the iCal format as previously requested and I personally would
> postpone this feature until the time policies functionality is rock
> solid.
>
> There were some uncertainties in the design as well. I ran into 2 of
> these but more may come.
>
> The first thing is how to deal with weeks in a month. There are two
> possibilities. A week in month (as specified by the weekofmonth
> keyword in the time policies) may be understood as a period of time
> between two Sundays, so when a month starts on, say, Friday the 1st,
> weekofmonth=1 would specify days Friday, Saturday, Sunday and anything
> from that Sunday on would be a weekofmonth=2 and on. However, I think
> a week in a month may also be considered a period of time that equals
> 7 days of a month. In the previous example, a weekofmonth=1 would
> therefore also apply to the following days up until Friday the 8th,
> excluding this last day. Although I implemented the first case in the
> SSSD, I actually started thinking the second case scenario might be
> the right or "better" one.
>
> The other thing is which years should be allowed to be the input of
> the "year" keyword. Currently, I set the range for these values to
> 1970-2038 according to the Unix timestamp. I'm not sure if anyone
> would want to set it less than 1970, setting it for a higher value
> than 2038 might probably make sense in some very special cases,
> although I really can't think of a one.
>
> As for the WebUI, I am not really satisfied with the current state -
> the time zone select button requires saving the rule before any
> further setting on the page and the tables for setting the time rules
> don't allow editing the rules, which gets annoying fast. The WebUI for
> the time policies in HBAC was created for my Master's thesis purposes
> in a hurry and I will probably need to discuss it some more with Petr
> V. It works well for basic display and add/remove of the time rules,
> though.
>
> So, that is what I do now, aside from SSSD functionality. Please, let
> me know what your ideas are, especially about those weekofmonth and
> year issues.
>
> Cheers,
> Stanislav Laznicka
>
>
Please revert this change, 'replaces' keyword is used only for legacy
permission. Changes in new permissions are handled automatically by
update plugin.
'replaces': [
- '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
+ '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
],
Martin
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150710/851c3d4f/attachment.htm>
More information about the Freeipa-devel
mailing list