[Freeipa-users] Overall Design of Policy Related Components
Dmitri Pal
dpal at redhat.com
Wed Nov 2 00:50:13 UTC 2011
On 11/01/2011 04:09 AM, Sigbjorn Lie wrote:
>> We decided to back away from trying to provide central RBAC. Our
>> experience with multiple projects revealed that there is no one size fits all solution regarding
>> RBAC. But we were talking about geral Role
>> base access control model not specific RBAC as Solaris implemented it. The Solaris RBAC is similar
>> to sudo and HBAC combined together. Both features are managed by IPA. We also have SELinux policies
>> on Linux that can constrain the root access. The user SELinux roles management is on the roadmap
>> but HBAC + SUDO should give you the equivalent if not more functionality than
>> Solaris RBAC.
>
>
> It's a false statement that Solaris RBAC is like sudo and HBAC combined. There so much more
> options in the Solaris RBAC when it comes to such as limiting/granting cpu/memory resources, OS
> privileges, based on a group, a project, a user, a service, etc.
Sounds a lot like and overlap with SELinux features to me...
> Besides, RBAC comes with Solaris, sudo need to be installed.
It was not clear if the client is actually on Solaris.
I think here we have a different case. Here we are talking about an
application that takes advantage of the Solaris RBAC as a policy container.
> And as I understand it, SSSD is required to installed on Solaris to implement the HBAC rules from
> IPA?
>
Yes but a different pam module can be built to takje advantage of HBAC
for the platforms that do not support SSSD.
>
> Rgds,
> Siggi
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list