[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

Simo Sorce simo at redhat.com
Fri Aug 26 14:29:41 UTC 2016 

On Fri, 2016-08-26 at 11:55 +0200, Martin Basti wrote:
> 
> On 26.08.2016 11:43, Jan Cholasta wrote:
> > Hi,
> >
> > On 11.8.2016 12:34, Stanislav Laznicka wrote:
> >> Hello,
> >>
> >> I updated the design of the Time-Based HBAC Policies according to the
> >> discussion we led here earlier. Please check the design page
> >> http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest
> >> changes are in the Implementation and Feature Management sections. I
> >> also added a short How to Use section.
> >
> > 1) Please use the 'ipa' prefix for new attributes: memberTimeRule -> 
> > ipaMemberTimeRule
> >
> >
> > 2) Source hosts are deprecated and thus should be removed from 
> > ipaHBACRuleV2.
> >
> >
> > 3) Since time rules are defined by memberTimeRule, accessTime should 
> > be removed from ipaHBACRuleV2.
> 
> ad 2) 3)
> 
> Because backward compatibility, ipaHBACRuleV2 must contain all 
> attributes from ipaHBACRule as MAY
> 
> With current approach, when timerule is added to HBAC, we just change 
> objectclass from 'ipahbacrule' to 'ipahbacrulev2' so we keep all 
> attributes that was defined in older HBAC. Removing any attrs from 
> ipaHBACRuleV2 can cause schema violation.

Is there a good reason to "change" the objectclass instead of just
"adding" to it ?
Are v1 and v2 "incompatible" at the object lvl ?
(Sorry I probably knew the answer last I looked at it but I somehow
forgot).

> I'm not sure if want to handle this in code (removing deprecated 
> attributes from HBAC entry when timerule is added)
> 
> I realized that AccessTime is MUST for 'ipahbacrule', so when timerule 
> ('ipahbacrulev2') is removed and somebody deleted accesstime we have to 
> add it back.

What is it set to these days ?

Simo.

> 
> 
> >
> >
> > 4) The CLI sections needs more work, especially for non-standard 
> > commands like timerule-test.
> >
> >>
> >> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the
> >> CLI functionality (except for the creation of iCalendar strings from
> >> options) for better illustration of the design.
> >>
> >> https://github.com/stlaz/freeipa/tree/timerules_2
> >>
> >> I will add FreeIPA people that recently had some say about this to CC so
> >> that we can get the discussion flowing.
> >
> > Honza
> >
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list