[Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies
Simo Sorce
simo at redhat.com
Mon Aug 29 14:51:17 UTC 2016
On Mon, 2016-08-29 at 16:35 +0200, Petr Spacek wrote:
> On 29.8.2016 16:34, Simo Sorce wrote:
> > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote:
> >> On 26.8.2016 17:40, Simo Sorce wrote:
> >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote:
> >>>> Ie we could set both "allow" and "allow_with_time" on an object for
> >>>> cases where the admin wants to enforce the time part only o newer
> >>>> client
> >>>> but otherwise apply the rule to any client.
> >>>
> >>> I notice that SSSD does not like it if there are multiple values on this
> >>> attribute, but we could change this easily in older clients when we
> >>> update them. worst case the rule will not apply and admins have to
> >>> create 2 rules, one with allow and one with allow_with_time.
> >>
> >> I like the idea in general but it needs proper design and detailed
> >> specification first.
> >>
> >> Given that we have to modify SSSD anyway, I would go for ipaHBACRulev2 object
> >> class with clear definition of "capabilities" (without any obsolete cruft).
> >>
> >> That should be future proof and without any negative impact to existing clients.
> >
> > ipaHBACRule2 is needed anyway, it is just how it is implemented that
> > differs, I really think we should go the accessRuleType route, I find it
> > superior to messing with objects by ripping off structural objectclasses
> > and replacing them.
>
> So we are in agreement ;-)
If you liked my proposal then I guess we are, it wasn't clear to me :-)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list