On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
> On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > > Hi, FreeIPA and SSSD communities!
> > > 
> > > I am working on adding URI to HBAC as my thesis [1]. The goal is to
> > > control access not only based on (user, host, service), but on (user,
> > > host, service, resource's URI).
> > > 
> > > I created a patch for FreeIPA [2] so it is capable of storing URI as
> > > part of HBAC rule. I created a patch for SSSD [3] so it is able to get
> > > this URI from FreeIPA and use it in HBAC evaluation.
> > > 
> > > I still need to develop a part of SSSD receiving URI-aware requests. It
> > > will either be an enhancement of Infopipe or I will use PAM responder
> > > (any suggestions?).
> > > 
> > > I wanted to kindly ask you for review and your opinions on the patches
> > > and generally on my approach. This would be my first contribution to
> > > FreeIPA and SSSD so there might be bugs. What do you think?
> > > 
> > > Btw, is there some better place to share patches than a pasting tool?
> > > Maybe some form of pull request?
> > > 
> > > Thanks for your opinions!
> > > 
> > > [1]
> > > https://diplomky.redhat.com/topic/show/326/store-and-manage-access-to-uris-in-freeipa
> > > [2]
> > > http://pastebin.com/rsHzXeAR
> > > [3]
> > > http://pastebin.com/atcZMuP1
> > > 
> > 
> > Hi Lukas, could please post your patches here using git-format-patch or
> > even better provide a public git tree with them applied ?
> > (Any place github, fedorapeople, your own server, etc. is fine)
> > 
> > 
> > First a question, what service can actually use this scheme and how ?
> > there is no URL field in PAM.
> 
> When Lukas started the work, we IIRC concluded that PAM is not an
> appropriate interface and we should probably expose some DBUS methods
> for access control. We haven't really discussed any details since then.

This only shifts the question, what service would use this interface ?
note I am not opposed to it, but would like to understand how we are
going to test that it actually works and is useful.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to