[Freeipa-devel] [DESIGN] Time-Based HBAC Policies

Jan Cholasta jcholast at redhat.com
Wed May 18 10:38:35 UTC 2016 

On 18.5.2016 12:23, Petr Spacek wrote:
> On 18.5.2016 08:25, Stanislav Laznicka wrote:
>> On 05/17/2016 12:40 PM, Petr Spacek wrote:
>>> On 13.5.2016 13:50, Stanislav Laznicka wrote:
>>>> Hello list,
>>>>
>>>> We had a discussion today over integrating the Time Rules into the CLI and
>>>> WebUI and a problem came up with with the current solution. It seems that
>>>> while having templating handled by CoSTemplates might be nice in terms of easy
>>>> dereferencing on SSSD side (it's handled by the DS itself), it's not really
>>>> much possible to pick one string from the multi-valued accesstime attribute of
>>>> HBAC Rule object and modify it.
>>> Could you be more specific?
>>>
>>> AFAIK LDAP protocol allows this. Where is the problem?
>>>
>>> Petr^2 Spacek
>> I should have added we're talking CLI and WebUI here.
>>
>> Imagine you have 5 values of the accesstime attribute, each one is about 10
>> lines of iCal string, and want to change one:
>>
>> ipa hbacrule-mod-accesstime rule_name --time=???
>
> I see. In DNS plugin we do it this way:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/managing-master-dns-zones.html#examples-add-modify-record-cli
>
> $ ipa dnsrecord-mod example.com www --a-rec 192.0.2.123 --a-ip-address 192.0.2.1
>
> I would argue that naming of the options is weird so something easier to
> understand could be made. E.g.
> $ ipa hbacrule-mod-accesstime rule_name --orig-time=??? --time=???

NACK, the dns plugin should not be used as an example for anything, as 
it breaks almost every convention in the framework.

Removing and adding of particular accesstime values should be done by a 
pair of commands, "hbacrule-add-accesstime rule_name accesstime" and 
"hbacrule-remove-accesstime rule_name accesstime".

>
> Petr^2 Spacek
>
>>>> We were thinking of a solution discussed way earlier - having our own time
>>>> rule objects that could be referenced from each HBAC rule. That way, any time
>>>> rule could be modified easily. As the HBAC rules are cached on the SSSD side
>>>> periodically using the deref plugin, there should be no problem of
>>>> inconsistency with the server database.
>>>>
>>>> The original reasoning pro and against the proposed solution could be found on
>>>> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It would
>>>> be really nice to hear your opinions and ideas that could help us overcome
>>>> this problem.
>>>>
>>>> Thank you,
>>>> Standa
>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list