[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
Martin Basti
mbasti at redhat.com
Fri Aug 26 09:55:53 UTC 2016
On 26.08.2016 11:43, Jan Cholasta wrote:
> Hi,
>
> On 11.8.2016 12:34, Stanislav Laznicka wrote:
>> Hello,
>>
>> I updated the design of the Time-Based HBAC Policies according to the
>> discussion we led here earlier. Please check the design page
>> http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest
>> changes are in the Implementation and Feature Management sections. I
>> also added a short How to Use section.
>
> 1) Please use the 'ipa' prefix for new attributes: memberTimeRule ->
> ipaMemberTimeRule
>
>
> 2) Source hosts are deprecated and thus should be removed from
> ipaHBACRuleV2.
>
>
> 3) Since time rules are defined by memberTimeRule, accessTime should
> be removed from ipaHBACRuleV2.
ad 2) 3)
Because backward compatibility, ipaHBACRuleV2 must contain all
attributes from ipaHBACRule as MAY
With current approach, when timerule is added to HBAC, we just change
objectclass from 'ipahbacrule' to 'ipahbacrulev2' so we keep all
attributes that was defined in older HBAC. Removing any attrs from
ipaHBACRuleV2 can cause schema violation.
I'm not sure if want to handle this in code (removing deprecated
attributes from HBAC entry when timerule is added)
I realized that AccessTime is MUST for 'ipahbacrule', so when timerule
('ipahbacrulev2') is removed and somebody deleted accesstime we have to
add it back.
>
>
> 4) The CLI sections needs more work, especially for non-standard
> commands like timerule-test.
>
>>
>> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the
>> CLI functionality (except for the creation of iCalendar strings from
>> options) for better illustration of the design.
>>
>> https://github.com/stlaz/freeipa/tree/timerules_2
>>
>> I will add FreeIPA people that recently had some say about this to CC so
>> that we can get the discussion flowing.
>
> Honza
>
More information about the Freeipa-devel
mailing list