On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> ...
> > You present two solutions to the problem -- deny rules, and regular
> > expressions.
> For the record, HBAC deny rules is something we will want to avoid. Deny HBAC

Certainly. And for the current HBAC's model of user (groups), host
(groups), service (groups), you can tell the admin to structure their
environment and groups in such a way that they are not needed.

But the question is, if you want for the admin to be able to control
access to a website where longer URLs often need to be more restricted
than the shorter ones, what mechanism do you propose? It is not
possible to positively (for allow purposes) list only exhaustive list
of URL prefixes that should have the broader access allowed -- new
versions of the web application can introduce additional URLs into the
namespace, and the URLs are not identities like users or hosts that
FreeIPA would be aware of that that you could easily manage by putting
them to groups.

The natural way to think about access to web URLs is to say "I only
want admins to access /application/users/admin/". Which of course
means "I want to deny everyone who has otherwise access to other URLs,
except for admins".

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to