On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote: > On 03/24/2016 10:24 AM, Jan Pazdziora wrote: > > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: > ... > > You present two solutions to the problem -- deny rules, and regular > > expressions. > > For the record, HBAC deny rules is something we will want to avoid. Deny HBAC
Certainly. And for the current HBAC's model of user (groups), host (groups), service (groups), you can tell the admin to structure their environment and groups in such a way that they are not needed. But the question is, if you want for the admin to be able to control access to a website where longer URLs often need to be more restricted than the shorter ones, what mechanism do you propose? It is not possible to positively (for allow purposes) list only exhaustive list of URL prefixes that should have the broader access allowed -- new versions of the web application can introduce additional URLs into the namespace, and the URLs are not identities like users or hosts that FreeIPA would be aware of that that you could easily manage by putting them to groups. The natural way to think about access to web URLs is to say "I only want admins to access /application/users/admin/". Which of course means "I want to deny everyone who has otherwise access to other URLs, except for admins". -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
