On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote:
> I agree it is complicated. While Deny HBAC rules is something we do not want,
> allowing exclusive rules for an HBAC URI rule may be acceptable. This would be
> the same approach we chose with Exclusive Time rules in Time-Based HBAC:
> http://www.freeipa.org/page/V4/Time-Based_Account_Policies#Time_Policies_Storage

Right. The accessTimeExclude effectively seems to be DENY, in a sense
that you need to evaluate it to "override" other accessTime records
that might have allowed the access. And if you miss the record with
accessTimeExclude, you've allowed access that shouldn't have been

> For the URI identifiers, we should also try to reinvent the wheel here. Can
> adopt an approach used in some of the most common frameworks for URL matching?
> Take Django for example:
> https://docs.djangoproject.com/en/1.9/topics/http/urls/

Not sure which part of the approach you have in mind. Django uses 
a list url()s, which gives explicit order in which they are evaluated 
/ matched. To emulate that in IPA, using some mechanism to give the
LDAP records stable ordering (unique integer attribute?) might work.
But that might be perceived as foreign concept in otherwise
"declarative" nature of HBAC rule (and LDAP in general).

> Using the pattern approach you mentioned elsewhere could work, I am just
> worried how much user friendly it would be for non-developers. But we can also
> make use these patterns as the raw storage format and build some nice UI/CLI 
> on
> top of it.

I actually prefer left prefix to regular expression patterns.

> Can we do the same as with current default "allow all" rule?

> I.a. allow "/" for

I'm not really fond of the allow_all rule because starting with the
default setup when it is enabled (and HBAC in effect not playing any
role) and wanting to start using HBAC just for one machine means
pretty big manual effort:

> all sites by default and let admin to remove that for sites with access
> controlled and restricted by FreeIPA HBAC.

The question is, how do you know that a site is access controlled? If
a rule (with URL part) does not match the requested URL, it doesn't
mean there isn't such a rule and that access should be allowed.

Maybe the right approach is to make "sites" a first-class citizen, so
that you can be explicit about using the URL-based access controll for
a particular site or not.

> This would mean admin would
> typically need to define some general rule the site accessible by all with the
> exceptions defined in "exclude" access rules and then build the rules specific
> to these excluded parts of the application URL tree.

Right, and we also need to give admin a very easy way to define those
excludes implicitly, by having the additional (sub-URL) rules
automatically populate those excludes for the "parent" URLs.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to