[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

Martin Basti mbasti at redhat.com
Fri Aug 26 10:21:04 UTC 2016 


On 26.08.2016 12:13, Jan Cholasta wrote:
> On 26.8.2016 11:55, Martin Basti wrote:
>>
>>
>> On 26.08.2016 11:43, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 11.8.2016 12:34, Stanislav Laznicka wrote:
>>>> Hello,
>>>>
>>>> I updated the design of the Time-Based HBAC Policies according to the
>>>> discussion we led here earlier. Please check the design page
>>>> http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The 
>>>> biggest
>>>> changes are in the Implementation and Feature Management sections. I
>>>> also added a short How to Use section.
>>>
>>> 1) Please use the 'ipa' prefix for new attributes: memberTimeRule ->
>>> ipaMemberTimeRule
>>>
>>>
>>> 2) Source hosts are deprecated and thus should be removed from
>>> ipaHBACRuleV2.
>>>
>>>
>>> 3) Since time rules are defined by memberTimeRule, accessTime should
>>> be removed from ipaHBACRuleV2.
>>
>> ad 2) 3)
>>
>> Because backward compatibility, ipaHBACRuleV2 must contain all
>> attributes from ipaHBACRule as MAY
>
> Not true.
>
>>
>> With current approach, when timerule is added to HBAC, we just change
>> objectclass from 'ipahbacrule' to 'ipahbacrulev2' so we keep all
>> attributes that was defined in older HBAC. Removing any attrs from
>> ipaHBACRuleV2 can cause schema violation.
>
> Which is perfectly fine.
>
>>
>>
>> I'm not sure if want to handle this in code (removing deprecated
>> attributes from HBAC entry when timerule is added)
>
> We don't have to do anything. If any of the deprecated attributes are 
> present when you change the object class (which they shouldn't 
> anyway), you'll get schema violation, otherwise it will work just fine.

I'm not sure if this is user friendly.

>
>>
>> I realized that AccessTime is MUST for 'ipahbacrule', so when timerule
>> ('ipahbacrulev2') is removed and somebody deleted accesstime we have to
>> add it back.
>
> It is MAY. The only MUST attribute is accessRuleType, but that is 
> deprecated as well and should be removed from ipaHBACRuleV2. We only 
> support allow rules, so when timerule is removed, that's the value you 
> set accessRuleType to.
>
Right, sorry.
Martin^2

>>
>>
>>
>>>
>>>
>>> 4) The CLI sections needs more work, especially for non-standard
>>> commands like timerule-test.
>>>
>>>>
>>>> On the link below is a PROTOTYPE-patched FreeIPA that covers most 
>>>> of the
>>>> CLI functionality (except for the creation of iCalendar strings from
>>>> options) for better illustration of the design.
>>>>
>>>> https://github.com/stlaz/freeipa/tree/timerules_2
>>>>
>>>> I will add FreeIPA people that recently had some say about this to 
>>>> CC so
>>>> that we can get the discussion flowing.
>>>
>>> Honza
>>>
>>
>
>

More information about the Freeipa-devel mailing list