On 04.11.2015 13:46, Stanislav Laznicka wrote:

The fixed patches to Martin^2's and Jakub's reviews are almost ready, there are just a few things left. Martin B. mentioned in his review that '~' might not be the best delimiter for range values in the HBAC time policies language as it is not commonly used for that purpose. I started using it when the negative values were introduced (instead of '-').

The question here is, then, which delimiter would you rather use for ranges? Some choices are ':', '..', and, obviously, '~' but you are free to come up with your own. The delimiters '-' and ',' are not suitable as their use is different here. However small this might seem to be, lets be rigorous here and design it properly.

Also, with some time, I got uncertain about one thing with the 'repeat' keyword. What behaviour would you expect when 'repeat' is on yearly repetition and 'dayofweek' is the only other thing set? RFC5545 (iCal) says:
Information, not contained in the rule, necessary to determine the
various recurrence instance start time and dates are derived from
the Start Time ("DTSTART") component attribute.  For example,
"FREQ=YEARLY;BYMONTH=1" doesn't specify a specific day within the
month or a time.  This information would be the same as what is
specified for "DTSTART".
and also in an example

 BYMONTHDAY, or BYMONTH rule part were missing, the appropriate
 minute, hour, day, or month would have been retrieved from the
 "DTSTART" property.",

but an example with BYDAY alone set with a day of week without numerical specifier is missing so it is not clear if this would apply to all specified weekdays of a certain month or the whole year. Currently, I am using only the months' weekdays.

Standa Láznička


we (Standa and I) had offline discussion and I proposed following idea:

1) create new entry in LDAP for "time rule" instead of adding the time rule string directly into HBACRule. This will allow to reuse time rules among various HBAC Rules (and maybe in future with sudo rules, etc.)
HBACrule gets only reference to time rule entry stored in LDAP db.

2) Do not create a new time format, just reuse iCal (parts of iCal we need), to store time rule in LDAP in "time rule" entry (Or is possible to not store the values just as one string, we can use different attributes to store separate values, iCal can be used as export and import format)

3) We may provide nice CLI and webUI to construct/show "time rule", this may be more user friendly than just passing the string containing time data to HBAC rule.

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to