On Tue, 10 Mar 2015, Martin Kosek wrote:
On 03/10/2015 05:18 PM, Alexander Bokovoy wrote:
On Tue, 10 Mar 2015, John Dennis wrote:
On 03/10/2015 11:06 AM, Jakub Hrozek wrote:
We may need to use libraries for processing iCal rules, like libical
(http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
Is that what Alexander said, though? In his reply, I see:
"Parsing event information would produce a rule definition we would
store and SSSD would apply as HBAC rule".
I don't think iCal dependency is something we want in SSSD, the
rules should be converted from iCal to SSSD format in a layer atop
libipa_hbac..
But doesn't the iCal rule have to be evaluated in SSSD? If so that
requires linking against libical, right?
That's why I'm saying we import iCal in IPA, not that we keep using iCal
as internal representation of time/date information for HBAC rules.
I don't really want to impose iCal horror on HBAC rule parsing engine.
I believe we can do simpler and better, given HBAC is all about ALLOW
rules on the base of default DENY action.
Ok, but how do you want to define rule as
"Allow Joe to log in every Monday, except holidays (when the office is closed)"?
We can't just have IPA processed the Ical and generate Allow ranges as there is
indefinite number of the allow ranges. So if you want to described more complex
rule (reocurring rule with some exceptions maybe), you end up with iCal anyway.
Or not?
See my answer to John. We don't need to end up with iCal at all since
iCal doesn't have procedural definitions of holidays. It has
EXDATE/RRULE allowing to express exceptions and repeating rules (EXRULE
for exception rules was removed in RFC5545 and is not used anymore) but
nothing more concrete.
RFC5545 does define multiple things which are part of iCalendar format
and which we don't really need to deal with in SSSD so we don't need
full iCal at all. We need to be able to represent recurring events and
some of exceptions to them within the rules but that is a subset of what
is needed and can be implemented without involving a fully-compliant
iCal library.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
