On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
In the document, you say
In all of them [ approaches ], I use only the part of URI
after hostname as hostname and service are already matched
as part of selecting HBAC rules to evaluate in terms of
matching URI.
This is not correct.
The hostname of the machine may be
cloud-123-567.example.com
The service (principal) might be HTTP/cloud-123-567.example.com.
The HBAC service (== PAM service) might be 'application', or 'httpd'.
But the URL might be
http://wiki.example.com/wiki
or
https://issues.example.com/
or
http://www.example.com:8080/
Distinct applications and content, with completely distinct URLs,
locations, and security requirements, hosted on the same machine and
under the same HBAC service.
The full URL needs to be taken into account. There can be situations
like
http:///wiki
where the hostname is ommitted in the rule but it has to be an
explicit decision of the user (admin) editing the rules, not something
built into the mechanism.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
