[Freeipa-users] Overall Design of Policy Related Components
Dmitri Pal
dpal at redhat.com
Tue Nov 1 01:49:23 UTC 2011
On 10/31/2011 05:20 PM, Rodney Mercer wrote:
> We have previously developed Solaris RBAC authorization within our
> application to validate users and roles to our application's internal
> commanding capability using the definitions that populate the name
> service switch maps.
>
> I have been searching for a method for implementing similar capability
> using RHEL and had found promise with the following proposed
> documentation for IPAv2:
> http://freeipa.org/page/Overall_Design_of_Policy_Related_Components#Adding_Support_for_New_applications
>
>
> However backing up within the documentation, I see that this Policy
> Related Component capability is being deferred.
> http://www.freeipa.org/page/IPAv2_development_status
>
> Is there a defined timeline when the Policy Related Components support
> for New applications will move forward and be adopted for a RHEL6 update
> release?
We decided to back away from trying to provide central RBAC. Our
experience with multiple projects revealed that there is no one size
fits all solution regarding RBAC. But we were talking about geral Role
base access control model not specific RBAC as Solaris implemented it.
The Solaris RBAC is similar to sudo and HBAC combined together. Both
features are managed by IPA.
We also have SELinux policies on Linux that can constrain the root
access. The user SELinux roles management is on the roadmap but HBAC +
SUDO should give you the equivalent if not more functionality than
Solaris RBAC.
http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/index.html
Or you can use RHEL6.2 beta and see the docs about SUDO and HBAC there.
> Thanks and regards,
> Rodney.
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list