On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
> http://www.freeipa.org/page/URI-based-HBAC-design

In the document, you say

        In all of them [ approaches ], I use only the part of URI
        after hostname as hostname and service are already matched
        as part of selecting HBAC rules to evaluate in terms of
        matching URI. 

This is not correct.

The hostname of the machine may be


The service (principal) might be HTTP/cloud-123-567.example.com.

The HBAC service (== PAM service) might be 'application', or 'httpd'.

But the URL might be






Distinct applications and content, with completely distinct URLs,
locations, and security requirements, hosted on the same machine and
under the same HBAC service.

The full URL needs to be taken into account. There can be situations


where the hostname is ommitted in the rule but it has to be an
explicit decision of the user (admin) editing the rules, not something
built into the mechanism.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to