On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> Hi, FreeIPA and SSSD communities!
> I am working on adding URI to HBAC as my thesis . The goal is to
> control access not only based on (user, host, service), but on (user,
> host, service, resource's URI).
> I created a patch for FreeIPA  so it is capable of storing URI as
> part of HBAC rule. I created a patch for SSSD  so it is able to get
> this URI from FreeIPA and use it in HBAC evaluation.
> I still need to develop a part of SSSD receiving URI-aware requests. It
> will either be an enhancement of Infopipe or I will use PAM responder
> (any suggestions?).
> I wanted to kindly ask you for review and your opinions on the patches
> and generally on my approach. This would be my first contribution to
> FreeIPA and SSSD so there might be bugs. What do you think?
> Btw, is there some better place to share patches than a pasting tool?
> Maybe some form of pull request?
> Thanks for your opinions!
Hi Lukas, could please post your patches here using git-format-patch or
even better provide a public git tree with them applied ?
(Any place github, fedorapeople, your own server, etc. is fine)
First a question, what service can actually use this scheme and how ?
there is no URL field in PAM.
On the patches:
 you define a new attribute Url which is fine, but the actual
attribute is not ok in several way.
- You assigned an OID from a hole in the IPAv2 Attibutes space, it
should be an assigned ID from the IPAv3 attribute space instead
- You do not namespace the attribute, it should at least be ipaUrl
- you are using case Exact matching, is this intentional? Are the URIs
in there case sensitive strings ?
- there is an available attribute called labeledURI (with alias
labeledurl) in the standard schema (however I notice it also has
caseExactMatch) that has basically the same definition of your Url
attribute, why not use that one ?
 If I read the patch correctly failing to find a Url is a fatal
condition, this is not ok as it would fail to operate with older servers
that do not have a url on the rules.
It is not clear to me what happen on an older client if URL is used but
not the service? Or is service always enforced ? (It is not clear to me
that it is).
Simo Sorce * Red Hat, Inc * New York
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code