On Fri, 10 Jul 2015, Stanislav Laznicka wrote:
Long time no post from me, time to make it up to you.
I have been working on the the implementation of the design of time policies
for HBAC rules on FreeIPA and SSSD sides. Attached is the current state of
the FreeIPA solution. My comments and notes to the solution follow.
The FreeIPA side backend base for time policies in HBAC seems working to me
but still needs formal testing. Also, there is no conversion from the iCal
format as previously requested and I personally would postpone this feature
until the time policies functionality is rock solid.
There were some uncertainties in the design as well. I ran into 2 of these
but more may come.
The first thing is how to deal with weeks in a month. There are two
possibilities. A week in month (as specified by the weekofmonth keyword in
the time policies) may be understood as a period of time between two
Sundays, so when a month starts on, say, Friday the 1st, weekofmonth=1 would
specify days Friday, Saturday, Sunday and anything from that Sunday on would
be a weekofmonth=2 and on. However, I think a week in a month may also be
considered a period of time that equals 7 days of a month. In the previous
example, a weekofmonth=1 would therefore also apply to the following days up
until Friday the 8th, excluding this last day. Although I implemented the
first case in the SSSD, I actually started thinking the second case scenario
might be the right or "better" one.
One thing you need to realize that there is no universal 'week starts on
There are different ways of starting a week, some countries do it on
Sunday, some -- on Saturday, some -- on Monday. This means you need to
make possible to pull in a locale definition if you really want this
functionality and then it also becomes quite fuzzy as there are legal
definitions of what a week is (as well as a month and a work day).
The other thing is which years should be allowed to be the input of the
"year" keyword. Currently, I set the range for these values to 1970-2038
according to the Unix timestamp. I'm not sure if anyone would want to set it
less than 1970, setting it for a higher value than 2038 might probably make
sense in some very special cases, although I really can't think of a one.
You certainly can set it more than 2038 (time doesn't stop there). What
you are limited with is Kerberos 32-bit time stamp, not HBAC policy time
definition. I would say we better set to 64-bit ourselves and handle
irregularities in SSSD.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code