On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > I created a design page for the feature: > > http://www.freeipa.org/page/URI-based-HBAC-design
In the document, you say In all of them [ approaches ], I use only the part of URI after hostname as hostname and service are already matched as part of selecting HBAC rules to evaluate in terms of matching URI. This is not correct. The hostname of the machine may be cloud-123-567.example.com The service (principal) might be HTTP/cloud-123-567.example.com. The HBAC service (== PAM service) might be 'application', or 'httpd'. But the URL might be http://wiki.example.com/wiki or https://issues.example.com/ or http://www.example.com:8080/ Distinct applications and content, with completely distinct URLs, locations, and security requirements, hosted on the same machine and under the same HBAC service. The full URL needs to be taken into account. There can be situations like http:///wiki where the hostname is ommitted in the rule but it has to be an explicit decision of the user (admin) editing the rules, not something built into the mechanism. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code