On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> Hi, FreeIPA and SSSD communities!
> I am working on adding URI to HBAC as my thesis [1]. The goal is to
> control access not only based on (user, host, service), but on (user,
> host, service, resource's URI).
> I created a patch for FreeIPA [2] so it is capable of storing URI as
> part of HBAC rule. I created a patch for SSSD [3] so it is able to get
> this URI from FreeIPA and use it in HBAC evaluation.
> I still need to develop a part of SSSD receiving URI-aware requests. It
> will either be an enhancement of Infopipe or I will use PAM responder
> (any suggestions?).
> I wanted to kindly ask you for review and your opinions on the patches
> and generally on my approach. This would be my first contribution to
> FreeIPA and SSSD so there might be bugs. What do you think?
> Btw, is there some better place to share patches than a pasting tool?
> Maybe some form of pull request?
> Thanks for your opinions!
> [1]
> https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
> [2]
> http://pastebin.com/rsHzXeAR
> [3]
> http://pastebin.com/atcZMuP1

Hi Lukas, could please post your patches here using git-format-patch or
even better provide a public git tree with them applied ?
(Any place github, fedorapeople, your own server, etc. is fine)

First a question, what service can actually use this scheme and how ?
there is no URL field in PAM.

On the patches:

[2] you define a new attribute Url which is fine, but the actual
attribute is not ok in several way.

- You assigned an OID from a hole in the IPAv2 Attibutes space, it
should be an assigned ID from the IPAv3 attribute space instead

- You do not namespace the attribute, it should at least be ipaUrl 

- you are using case Exact matching, is this intentional? Are the URIs
in there case sensitive strings ?

- there is an available attribute called labeledURI (with alias
labeledurl) in the standard schema (however I notice it also has
caseExactMatch) that has basically the same definition of your Url
attribute, why not use that one ?

[3] If I read the patch correctly failing to find a Url is a fatal
condition, this is not ok as it would fail to operate with older servers
that do not have a url on the rules.

It is not clear to me what happen on an older client if URL is used but
not the service? Or is service always enforced ? (It is not clear to me
that it is).


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to