On 03/24/2016 10:31 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
> 
> In the document, you say
> 
>       In all of them [ approaches ], I use only the part of URI
>       after hostname as hostname and service are already matched
>       as part of selecting HBAC rules to evaluate in terms of
>       matching URI. 
> 
> This is not correct.
> 
> The hostname of the machine may be
> 
>       cloud-123-567.example.com
> 
> The service (principal) might be HTTP/cloud-123-567.example.com.
> 
> The HBAC service (== PAM service) might be 'application', or 'httpd'.
> 
> But the URL might be
> 
>       http://wiki.example.com/wiki
> 
> or
> 
>       https://issues.example.com/
> 
> or
> 
>       http://www.example.com:8080/
> 
> Distinct applications and content, with completely distinct URLs,
> locations, and security requirements, hosted on the same machine and
> under the same HBAC service.
> 
> The full URL needs to be taken into account. There can be situations
> like
> 
>       http:///wiki
> 
> where the hostname is ommitted in the rule but it has to be an
> explicit decision of the user (admin) editing the rules, not something
> built into the mechanism.
> 

Actually, admin can specify whatever he wants in URI attribute. The only
question here is what the application should send. So this is merely a
matter of the Apache module in my case.

-- 
Lukas Hellebrandt
Associate Quality Engineer
lhell...@redhat.com

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to