[Freeipa-devel] Time-Based Account Policies

Stanislav Laznicka slaznick at redhat.com
Mon Jul 13 06:16:02 UTC 2015 

On 07/10/2015 04:17 PM, Martin Basti wrote:
> On 10/07/15 12:08, Stanislav Laznicka wrote:
>> Hi,
>>
>> Long time no post from me, time to make it up to you.
>>
>> I have been working on the the implementation of the design of time 
>> policies for HBAC rules on FreeIPA and SSSD sides. Attached is the 
>> current state of the FreeIPA solution. My comments and notes to the 
>> solution follow.
>>
>> The FreeIPA side backend base for time policies in HBAC seems working 
>> to me but still needs formal testing. Also, there is no conversion 
>> from the iCal format as previously requested and I personally would 
>> postpone this feature until the time policies functionality is rock 
>> solid.
>>
>> There were some uncertainties in the design as well. I ran into 2 of 
>> these but more may come.
>>
>> The first thing is how to deal with weeks in a month. There are two 
>> possibilities. A week in month (as specified by the weekofmonth 
>> keyword in the time policies) may be understood as a period of time 
>> between two Sundays, so when a month starts on, say, Friday the 1st, 
>> weekofmonth=1 would specify days Friday, Saturday, Sunday and 
>> anything from that Sunday on would be a weekofmonth=2 and on. 
>> However, I think a week in a month may also be considered a period of 
>> time that equals 7 days of a month. In the previous example, a 
>> weekofmonth=1 would therefore also apply to the following days up 
>> until Friday the 8th, excluding this last day. Although I implemented 
>> the first case in the SSSD, I actually started thinking the second 
>> case scenario might be the right or "better" one.
>>
>> The other thing is which years should be allowed to be the input of 
>> the "year" keyword. Currently, I set the range for these values to 
>> 1970-2038 according to the Unix timestamp. I'm not sure if anyone 
>> would want to set it less than 1970, setting it for a higher value 
>> than 2038 might probably make sense in some very special cases, 
>> although I really can't think of a one.
>>
>> As for the WebUI, I am not really satisfied with the current state - 
>> the time zone select button requires saving the rule before any 
>> further setting on the page and the tables for setting the time rules 
>> don't allow editing the rules, which gets annoying fast. The WebUI 
>> for the time policies in HBAC was created for my Master's thesis 
>> purposes in a hurry and I will probably need to discuss it some more 
>> with Petr V. It works well for basic display and add/remove of the 
>> time rules, though.
>>
>> So, that is what I do now, aside from SSSD functionality. Please, let 
>> me know what your ideas are, especially about those weekofmonth and 
>> year issues.
>>
>> Cheers,
>> Stanislav Laznicka
>>
>>
> Please revert this change, 'replaces' keyword is used only for legacy 
> permission. Changes in new permissions are handled automatically by 
> update plugin.
>
>               'replaces': [
> -                '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || accesstime || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
> +                '(targetattr = "servicecategory || sourcehostcategory || cn || description || ipaenabledflag || timezone || accesstime || accesstimeexclude || usercategory || hostcategory || accessruletype || sourcehost")(target ="ldap:///ipauniqueid=*,cn=hbac,$SUFFIX")(version 3.0;acl "permission:Modify HBAC rule";allow (write) groupdn ="ldap:///cn=Modify HBAC rule,cn=permissions,cn=pbac,$SUFFIX";)',
>               ],
>
> Martin
> -- 
> Martin Basti
Attaching the sequence of fixed patches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150713/1707fea3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0001-Added-time-based-policies-types-to-LDAP-schema.patch
Type: text/x-patch
Size: 3064 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150713/1707fea3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0002-Prepared-parameters-for-HBAC-Rule-plugin-time-polici.patch
Type: text/x-patch
Size: 13408 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150713/1707fea3/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0003-Added-methods-for-setting-time-based-policies-in-hba.patch
Type: text/x-patch
Size: 21400 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150713/1707fea3/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0004-Created-basic-UI-for-setting-time-policies-at-HBAC-r.patch
Type: text/x-patch
Size: 17675 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150713/1707fea3/attachment-0003.bin>

More information about the Freeipa-devel mailing list