On 04.11.2015 13:46, Stanislav Laznicka wrote:
The fixed patches to Martin^2's and Jakub's reviews are almost ready,
there are just a few things left. Martin B. mentioned in his review
that '~' might not be the best delimiter for range values in the HBAC
time policies language as it is not commonly used for that purpose. I
started using it when the negative values were introduced (instead of
The question here is, then, which delimiter would you rather use for
ranges? Some choices are ':', '..', and, obviously, '~' but you are
free to come up with your own. The delimiters '-' and ',' are not
suitable as their use is different here. However small this might seem
to be, lets be rigorous here and design it properly.
Also, with some time, I got uncertain about one thing with the
'repeat' keyword. What behaviour would you expect when 'repeat' is on
yearly repetition and 'dayofweek' is the only other thing set? RFC5545
Information, not contained in the rule, necessary to determine the
various recurrence instance start time and dates are derived from
the Start Time ("DTSTART") component attribute. For example,
"FREQ=YEARLY;BYMONTH=1" doesn't specify a specific day within the
month or a time. This information would be the same as what is
specified for "DTSTART".
and also in an example
"... if the BYMINUTE, BYHOUR, BYDAY,
BYMONTHDAY, or BYMONTH rule part were missing, the appropriate
minute, hour, day, or month would have been retrieved from the
but an example with BYDAY alone set with a day of week without
numerical specifier is missing so it is not clear if this would apply
to all specified weekdays of a certain month or the whole year.
Currently, I am using only the months' weekdays.
we (Standa and I) had offline discussion and I proposed following idea:
1) create new entry in LDAP for "time rule" instead of adding the time
rule string directly into HBACRule.
This will allow to reuse time rules among various HBAC Rules (and maybe
in future with sudo rules, etc.)
HBACrule gets only reference to time rule entry stored in LDAP db.
2) Do not create a new time format, just reuse iCal (parts of iCal we
need), to store time rule in LDAP in "time rule" entry
(Or is possible to not store the values just as one string, we can use
different attributes to store separate values, iCal can be used as
export and import format)
3) We may provide nice CLI and webUI to construct/show "time rule", this
may be more user friendly than just passing the string containing time
data to HBAC rule.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code