On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
> http://www.freeipa.org/page/URI-based-HBAC-design

The way most web applications (that I see as the first use for this
feature) are structured, they have more openly accessible areas at
"top" URLs like


which might have unrestricted access, with authenticated or otherwise
narrowed access underneath, like


with yet more restricted areas in sub-URLs, for example


Since obviously allow rule for /application/users/ would match access
to /application/users/admin/ as well and we don't want that, there
needs to be a way to "override" the /application/users/ rule with
a more specific one.

You present two solutions to the problem -- deny rules, and regular

Having to use


rule to make sure it does not match /application/users/admin/ means
that when you add


you will not only have to edit that rule, but also amend the


rule and add helpdesk there. That will be extremely volatile and
error-prone if you have dozens of sub-locations that require
separate, more restrictive access. Users cannot be expected to keep
these separate rules in sync.

My preferred solution would be to treat the URL as left prefix, and
maintain for each URL/rule list of/links to sub-URLs/sub-rules for
which the URL/rule no longer applies.

So when you have rule for


and add rule for


the first one gets automatically amended to be

        /application/users/             [ admin/ ]

And when you add


it will automatically get

        /application/                   [ users/ ]

because there is already a rule that limits the scope.

The benefit of this approach is that if you need to evaluate access
to say


and you already have rule for

        /application/                   [ users/ ]

cached either in SSSD or in the application (Apache module), you know
you don't have to refetch additional rules because if they existed,
their existence would be noted in the sub-URL "exclusion" list.

You will achieve similar functionality to what you propose with the
regular expression approach, except the computers will do the work
of keeping things in sync, not users.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to