On Fri, Nov 13, 2015 at 10:40:27AM -0500, Simo Sorce wrote: > On 13/11/15 10:17, Martin Basti wrote: > > > > > >On 13.11.2015 14:41, Simo Sorce wrote: > >>On 11/11/15 09:30, Martin Basti wrote: > >>> > >>> > >>>On 11.11.2015 14:52, Martin Basti wrote: > >>>>Comments inline > >>>>Martin^2 > >>>> > >>>>On 11.11.2015 09:24, Stanislav Laznicka wrote: > >>>>>On 11/05/2015 06:17 PM, Petr Spacek wrote: > >>>>>>On 4.11.2015 15:20, Martin Basti wrote: > >>>>>> > >>>>>>>Hello, > >>>>>>> > >>>>>>>we (Standa and I) had offline discussion and I proposed following > >>>>>>>idea: > >>>>>>> > >>>>>>>1) create new entry in LDAP for "time rule" instead of adding the > >>>>>>>time rule > >>>>>>>string directly into HBACRule. > >>>>>>>This will allow to reuse time rules among various HBAC Rules (and > >>>>>>>maybe in > >>>>>>>future with sudo rules, etc.) > >>>>>>>HBACrule gets only reference to time rule entry stored in LDAP db. > >>>>>>Good idea! I can see time rule entry 'working hours in Brno > >>>>>>office' which is > >>>>>>linked to relevant HBAC rules. > >>>>>This seems like a good idea. However, it might be a bit messy to have > >>>>>even the least significant rules stored in separate objects. But I > >>>>>agree. It brings some questions, though. > >>>>Imo to have separate entry for time rule is cleaner than add it > >>>>directly to HBAC rule. > >> > >>I really disagree, see below. > >> > >>>>>Where would be a good spot to store these time rules? > >>>>As I originally thought that we can share time rules between HBAC, > >>>>SUDO and everything else, I couldn't be wrong more. > >>>> > >>>>Example: HBAC admin have permission to edit HBAC rule, but doesn't > >>>>have permission to edit SUDO rule. The HBAC admin should be able to > >>>>edit time rules for HBAC rules, and cannot be able to edit time rules > >>>>of SUDO rules. Thus time rules must be separated between HBAC, SUDO > >>>>and others, and privilege that give the permission to modify HBAC > >>>>rule, must give permission to modify only HBAC time rules. > >>>> > >>>>I suggest to add HBAC time rules to HBAC container. > >>>After IRC discussion with pspacek and jcholast: > >>> > >>>We should just create separated privileges to time rules and allow them > >>>to be shared. > >>>So they should be stored in new container in LDAP > >> > >>I do not understand what this means. > >> > >>And in general I am opposed to have a separate object on performance > >>grounds (for clients) and also on the fact that is becomes tricky to > >>keep objects in sync. ~~~~~~~~~~~~~~~~~~~ I think this is even more important than performance.
> >What exactly is the performance issue there? To download extra entry > >from LDAP? > > Yes because now you have to download rules, parse them, find out what needs > tro be downloaded and pull it, or wore just download all time rules Yes, if each rule referenced a timerule, then we would have to do something like: for rule in all_rules_for_this_host: dereference_attribute(rule_time_attr) We'd probably just end up fetching all timerules and establishing the relationship locally (which takes up computing time on the client). > > >The SSSD do the same sync with users and groups, doesn't it? > > No, by default we do not enumerate users and groups, and for HBAC rules we > download only those that apply to the machine. > > All this exactly to reduce the amount of time taken, and load on the server. Right, we try to reduce the number of round-trips, but also the number of separate objects we save to the cache and we try to avoid complex logic to link objects to one another. tl;dr - I agree with Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code