On 03/24/2016 10:31 AM, Jan Pazdziora wrote: > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote: >> I created a design page for the feature: >> >> http://www.freeipa.org/page/URI-based-HBAC-design > > In the document, you say > > In all of them [ approaches ], I use only the part of URI > after hostname as hostname and service are already matched > as part of selecting HBAC rules to evaluate in terms of > matching URI. > > This is not correct. > > The hostname of the machine may be > > cloud-123-567.example.com > > The service (principal) might be HTTP/cloud-123-567.example.com. > > The HBAC service (== PAM service) might be 'application', or 'httpd'. > > But the URL might be > > http://wiki.example.com/wiki > > or > > https://issues.example.com/ > > or > > http://www.example.com:8080/ > > Distinct applications and content, with completely distinct URLs, > locations, and security requirements, hosted on the same machine and > under the same HBAC service. > > The full URL needs to be taken into account. There can be situations > like > > http:///wiki > > where the hostname is ommitted in the rule but it has to be an > explicit decision of the user (admin) editing the rules, not something > built into the mechanism. >
Actually, admin can specify whatever he wants in URI attribute. The only question here is what the application should send. So this is merely a matter of the Apache module in my case. -- Lukas Hellebrandt Associate Quality Engineer lhell...@redhat.com -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
