On 18.5.2016 08:25, Stanislav Laznicka wrote:
> On 05/17/2016 12:40 PM, Petr Spacek wrote:
>> On 13.5.2016 13:50, Stanislav Laznicka wrote:
>>> Hello list,
>>> We had a discussion today over integrating the Time Rules into the CLI and
>>> WebUI and a problem came up with with the current solution. It seems that
>>> while having templating handled by CoSTemplates might be nice in terms of 
>>> easy
>>> dereferencing on SSSD side (it's handled by the DS itself), it's not really
>>> much possible to pick one string from the multi-valued accesstime attribute 
>>> of
>>> HBAC Rule object and modify it.
>> Could you be more specific?
>> AFAIK LDAP protocol allows this. Where is the problem?
>> Petr^2 Spacek
> I should have added we're talking CLI and WebUI here.
> Imagine you have 5 values of the accesstime attribute, each one is about 10
> lines of iCal string, and want to change one:
> ipa hbacrule-mod-accesstime rule_name --time=???

I see. In DNS plugin we do it this way:

$ ipa dnsrecord-mod example.com www --a-rec --a-ip-address

I would argue that naming of the options is weird so something easier to
understand could be made. E.g.
$ ipa hbacrule-mod-accesstime rule_name --orig-time=??? --time=???

Petr^2 Spacek

>>> We were thinking of a solution discussed way earlier - having our own time
>>> rule objects that could be referenced from each HBAC rule. That way, any 
>>> time
>>> rule could be modified easily. As the HBAC rules are cached on the SSSD side
>>> periodically using the deref plugin, there should be no problem of
>>> inconsistency with the server database.
>>> The original reasoning pro and against the proposed solution could be found 
>>> on
>>> the pad http://pad.engineering.redhat.com/ipa-time-based-HBAC-design. It 
>>> would
>>> be really nice to hear your opinions and ideas that could help us overcome
>>> this problem.
>>> Thank you,
>>> Standa

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to