[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
Martin Basti
mbasti at redhat.com
Fri Aug 26 14:39:31 UTC 2016
On 26.08.2016 16:29, Simo Sorce wrote:
> On Fri, 2016-08-26 at 11:55 +0200, Martin Basti wrote:
>> On 26.08.2016 11:43, Jan Cholasta wrote:
>>> Hi,
>>>
>>> On 11.8.2016 12:34, Stanislav Laznicka wrote:
>>>> Hello,
>>>>
>>>> I updated the design of the Time-Based HBAC Policies according to the
>>>> discussion we led here earlier. Please check the design page
>>>> http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest
>>>> changes are in the Implementation and Feature Management sections. I
>>>> also added a short How to Use section.
>>> 1) Please use the 'ipa' prefix for new attributes: memberTimeRule ->
>>> ipaMemberTimeRule
>>>
>>>
>>> 2) Source hosts are deprecated and thus should be removed from
>>> ipaHBACRuleV2.
>>>
>>>
>>> 3) Since time rules are defined by memberTimeRule, accessTime should
>>> be removed from ipaHBACRuleV2.
>> ad 2) 3)
>>
>> Because backward compatibility, ipaHBACRuleV2 must contain all
>> attributes from ipaHBACRule as MAY
>>
>> With current approach, when timerule is added to HBAC, we just change
>> objectclass from 'ipahbacrule' to 'ipahbacrulev2' so we keep all
>> attributes that was defined in older HBAC. Removing any attrs from
>> ipaHBACRuleV2 can cause schema violation.
> Is there a good reason to "change" the objectclass instead of just
> "adding" to it ?
> Are v1 and v2 "incompatible" at the object lvl ?
> (Sorry I probably knew the answer last I looked at it but I somehow
> forgot).
Answered here:
https://www.redhat.com/archives/freeipa-devel/2016-August/msg00615.html
>> I'm not sure if want to handle this in code (removing deprecated
>> attributes from HBAC entry when timerule is added)
>>
>> I realized that AccessTime is MUST for 'ipahbacrule', so when timerule
>> ('ipahbacrulev2') is removed and somebody deleted accesstime we have to
>> add it back.
> What is it set to these days ?
It was my mistake AccessTime is MAY
Martin^2
>
> Simo.
>
>>
>>>
>>> 4) The CLI sections needs more work, especially for non-standard
>>> commands like timerule-test.
>>>
>>>> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the
>>>> CLI functionality (except for the creation of iCalendar strings from
>>>> options) for better illustration of the design.
>>>>
>>>> https://github.com/stlaz/freeipa/tree/timerules_2
>>>>
>>>> I will add FreeIPA people that recently had some say about this to CC so
>>>> that we can get the discussion flowing.
>>> Honza
>>>
>
More information about the Freeipa-devel
mailing list