On Tue, 10 Mar 2015, Stanislav Láznička wrote:
On 03/10/2015 04:06 PM, Jakub Hrozek wrote:
On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:
This is where importing iCal is helpful because it allows you to
outsource the task of creating such event to something else.

Parsing event information would produce a rule definition we would store
and SSSD would apply as HBAC rule. However, we don't need ourselves to
provide a complex UI to define such rules. Instead, we can do a simple
UI to create rules plus a UI to import rules defined in iCal by some
other software. The rest is visualizing HBAC time/date rules which is
separate from dealing with complexity of creating or importing rules.

Additionally, for iCal-based imports we can utilize participants
information from the iCal to automatically set up members of the rule
(based on mail attribute).

Ah, makes sense to me.

With all the possibilities that iCal format offers, we would more or less end
up storing iCal in HBAC rules (or our own format of iCal). I am just concerned
it would make a bit complex processing on SSSD side, especially in the security
sensitive piece for authorization rules.

We may need to use libraries for processing iCal rules, like libical
(http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
Is that what Alexander said, though? In his reply, I see:
    "Parsing event information would produce a rule definition we would
    store and SSSD would apply as HBAC rule".
This is what kind of worried me, too. If I understand it well, this means you would have iCal events such as holidays (these were mentioned before), and you would like to generate HBAC rules based on these events. Those rules would, however, be different for each country (if this is still about holidays) and might collide among user and host groups. Therefore, you would have lots and lots of rules in the end, wouldn't you?
It does not matter how many rules are there. SSSD caches HBAC rules per host and if rule doesn't apply, it is not
downloaded and doesn't affect the host.

HBAC rule is a tuple (user|group, host|hostgroup, service|servicegroup).
This tuple would get extension representing time/date information in a
multivalued attribute that would describe all time/date intervals
applicable to this rule.

HBAC rules represent ALLOW action and default is DENY so you don't need
to represent holidays, they are on DENY by default. You only need to
represent ALLOW here.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to