On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > > Hi, FreeIPA and SSSD communities! > > > > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > > > control access not only based on (user, host, service), but on (user, > > > host, service, resource's URI). > > > > > > I created a patch for FreeIPA [2] so it is capable of storing URI as > > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get > > > this URI from FreeIPA and use it in HBAC evaluation. > > > > > > I still need to develop a part of SSSD receiving URI-aware requests. It > > > will either be an enhancement of Infopipe or I will use PAM responder > > > (any suggestions?). > > > > > > I wanted to kindly ask you for review and your opinions on the patches > > > and generally on my approach. This would be my first contribution to > > > FreeIPA and SSSD so there might be bugs. What do you think? > > > > > > Btw, is there some better place to share patches than a pasting tool? > > > Maybe some form of pull request? > > > > > > Thanks for your opinions! > > > > > > [1] > > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa > > > [2] > > > http://pastebin.com/rsHzXeAR > > > [3] > > > http://pastebin.com/atcZMuP1 > > > > > > > Hi Lukas, could please post your patches here using git-format-patch or > > even better provide a public git tree with them applied ? > > (Any place github, fedorapeople, your own server, etc. is fine) > > > > > > First a question, what service can actually use this scheme and how ? > > there is no URL field in PAM. > > When Lukas started the work, we IIRC concluded that PAM is not an > appropriate interface and we should probably expose some DBUS methods > for access control. We haven't really discussed any details since then.
This only shifts the question, what service would use this interface ? note I am not opposed to it, but would like to understand how we are going to test that it actually works and is useful. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
