On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > Hi, FreeIPA and SSSD communities! > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > control access not only based on (user, host, service), but on (user, > host, service, resource's URI). > > I created a patch for FreeIPA [2] so it is capable of storing URI as > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > this URI from FreeIPA and use it in HBAC evaluation. > > I still need to develop a part of SSSD receiving URI-aware requests. It > will either be an enhancement of Infopipe or I will use PAM responder > (any suggestions?). > > I wanted to kindly ask you for review and your opinions on the patches > and generally on my approach. This would be my first contribution to > FreeIPA and SSSD so there might be bugs. What do you think? > > Btw, is there some better place to share patches than a pasting tool? > Maybe some form of pull request? > > Thanks for your opinions! > > [1] > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > [2] > http://pastebin.com/rsHzXeAR > [3] > http://pastebin.com/atcZMuP1 >
Hi Lukas, could please post your patches here using git-format-patch or even better provide a public git tree with them applied ? (Any place github, fedorapeople, your own server, etc. is fine) First a question, what service can actually use this scheme and how ? there is no URL field in PAM. On the patches: [2] you define a new attribute Url which is fine, but the actual attribute is not ok in several way. - You assigned an OID from a hole in the IPAv2 Attibutes space, it should be an assigned ID from the IPAv3 attribute space instead - You do not namespace the attribute, it should at least be ipaUrl - you are using case Exact matching, is this intentional? Are the URIs in there case sensitive strings ? - there is an available attribute called labeledURI (with alias labeledurl) in the standard schema (however I notice it also has caseExactMatch) that has basically the same definition of your Url attribute, why not use that one ? [3] If I read the patch correctly failing to find a Url is a fatal condition, this is not ok as it would fail to operate with older servers that do not have a url on the rules. It is not clear to me what happen on an older client if URL is used but not the service? Or is service always enforced ? (It is not clear to me that it is). HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
