On Tue, 10 Mar 2015, Gabe Alford wrote:
On Tue, Mar 10, 2015 at 9:51 AM, Stanislav Láznička <s...@seznam.cz> wrote:
On 03/10/2015 04:06 PM, Jakub Hrozek wrote:
On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:
This is where importing iCal is helpful because it allows you to
outsource the task of creating such event to something else.
Parsing event information would produce a rule definition we would store
and SSSD would apply as HBAC rule. However, we don't need ourselves to
provide a complex UI to define such rules. Instead, we can do a simple
UI to create rules plus a UI to import rules defined in iCal by some
other software. The rest is visualizing HBAC time/date rules which is
separate from dealing with complexity of creating or importing rules.
Additionally, for iCal-based imports we can utilize participants
information from the iCal to automatically set up members of the rule
(based on mail attribute).
Ah, makes sense to me.
With all the possibilities that iCal format offers, we would more or
less end
up storing iCal in HBAC rules (or our own format of iCal). I am just
concerned
it would make a bit complex processing on SSSD side, especially in the
security
sensitive piece for authorization rules.
We may need to use libraries for processing iCal rules, like libical
(http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
Is that what Alexander said, though? In his reply, I see:
"Parsing event information would produce a rule definition we would
store and SSSD would apply as HBAC rule".
This is what kind of worried me, too. If I understand it well, this means
you would have iCal events such as holidays (these were mentioned before),
and you would like to generate HBAC rules based on these events. Those
rules would, however, be different for each country (if this is still about
holidays) and might collide among user and host groups. Therefore, you
would have lots and lots of rules in the end, wouldn't you?
I wonder if anyone does that. From what I've seen in AD and 389 Directory
Server, time-based rules are being stored in a rather simple manner. I
don't mind a more complex solution but I think such exceptions might be
little too much. But I might have not understood the idea very well.
This is my understanding as well. If using AD as the example, there are two
ways that timebased rules are configured:
1. Permit logon hours during specified timeframe on specified day(s)
of the week.
2. Deny logon hours during specified timeframe on specified day(s) of
the week.
There is nothing about holidays. I think that implementing holidays and
special exemptions should be avoided.
Yep. Except that we DENY by default in HBAC rules. So we only handle
ALLOW case already and there are strong reasons not to structure HBAC
rules to provide DENY too.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
