[Freeipa-devel] Time-based account policies
Nathaniel McCallum
npmccallum at redhat.com
Mon Mar 9 20:05:03 UTC 2015
On Mon, 2015-03-09 at 22:02 +0200, Alexander Bokovoy wrote:
> On Mon, 09 Mar 2015, Simo Sorce wrote:
> > On Mon, 2015-03-09 at 20:55 +0200, Alexander Bokovoy wrote:
> > > On Mon, 09 Mar 2015, Nathaniel McCallum wrote:
> > > > On Mon, 2015-03-09 at 20:22 +0200, Alexander Bokovoy wrote:
> > > > > On Mon, 09 Mar 2015, Jakub Hrozek wrote:
> > > > > > On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek
> > > > > > wrote:
> > > > > > > On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
> > > > > > > > On Mon, 09 Mar 2015, Martin Kosek wrote:
> > > > > > > ...
> > > > > > > > One of bigger issues we had was lack of versatile ical
> > > > > > > > format
> > > > > > > > parser to handle calendar-like specification of events
> > > > > > > > -- we
> > > > > > > > need to allow importing these ones instead of
> > > > > > > > inventing our
> > > > > > > > own.
> > > > > > >
> > > > > > > Good point. I wonder how rigorous we want to be. iCal is
> > > > > > > a
> > > > > > > pretty powerful
> > > > > > > calendaring format. If we want to implement full support
> > > > > > > for it, it would be
> > > > > > > lot of code both on server side for setting it and on
> > > > > > > client
> > > > > > > side for evaluating it (CCing Jakub for reference).
> > > > > > >
> > > > > > > AD itself has much simpler UI for setting the access
> > > > > > > time, a
> > > > > > > table like that:
> > > > > > > http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
> > > > > > >
> > > > > > > IIRC, they only store the bits of "can login/cannot
> > > > > > > login" for the time slots.
> > > > > > > That's another alternative.
> > > > > >
> > > > > > I don't think that's what Alexander meant, I don't think
> > > > > > the
> > > > > > client library should come anywhere close to the iCal
> > > > > > format. We might want to provide a script to convert an
> > > > > > external format, but that's about it.
> > > > > >
> > > > > > I thought we could simply reuse parts of the previous
> > > > > > grammar, maybe simplified. But I agree with Nathaniel (as I
> > > > > > stated also in the private thread) that we should use UTC
> > > > > > where possible.
> > > > > Yes and no. Let me go in details a bit.
> > > > >
> > > > > We need iCal support to allow importing events created by
> > > > > external tools. We don't need to use it as internal format.
> > > > >
> > > > > However, there are quite a lot of details that can be lost
> > > > > if only UTC would be in use for a date as you are ignoring a
> > > > > timezone information completely. Timezone information needs
> > > > > to be kept when importing and not always could be reliably
> > > > > represented in UTC so that conversion from one timezone to
> > > > > another could present quite a problem.
> > > > >
> > > > > See http://www.w3.org/TR/timezone/forsome of
> > > > > recommendations.
> > > >
> > > > I'm fine with a plan like this. I just want the admin to opt-
> > > > in to timezones. Localtime *by default* is fraught with
> > > > pitfalls. If the admin needs local time policy, he should
> > > > specify it exactly and should confirm the local time on
> > > > affected systems.
> > > Yep. We need to make it easy -- probably by allowing to define
> > > timezones as part of host object (like Martin proposed) and
> > > overridden in HBAC service/service group. And all this have to
> > > be very visual in the UI.
> > >
> > > Another problem is how to deal with missing timezone information
> > > at the place where HBAC rule with time rules would need to be
> > > applied. We need to define the way we handle all these
> > > (unavailable, non-parsable and other kinds of errors) timezone
> > > info issues.
> >
> > I would rather punt, than do some crappy thing ala Windows.
+1
> > Local Only or UTC only is always wrong.
+1. It was never my intent to imply this. :)
> > For some tasks 'local' is the only thing that makes sense (your
> > morning alarm clock), for other things 'UTC' is the only thing
> > that make sense (coordinated changes across multiple distributed
> > data centers).
> >
> > Implementing just one or the other is not useful.
> Correct. At this point I think we are more or less in agreement that
> we need to store time rules in UTC plus timezone correction
> information specific to the execution context (HBAC rule, host,
> etc). Handling 'UTC' rule is equivalent to selecting specific
> timezone (GMT+0, for example) so this is a case of more general (UTC
> time, timezone definiton) pairs.
>
> This timezone definition may have aliases forcing HBAC intepretation
> to use local machine defaults if needed but the general scheme stays
> the same.
Agreed.
More information about the Freeipa-devel
mailing list