On 04/27/2016 03:34 PM, Lukáš Hellebrandt wrote:
> SSSD: https://github.com/lhellebr/sssd/commits/url_in_hbac
> Apache module: https://github.com/lhellebr/mod_hbacauthz_pam
> FreeIPA: http://pastebin.com/X6H9BTwk
>
> On 04/26/2016 03:56 PM, Petr Spacek wrote:
>> On 26.4.2016 15:16, Jan Pazdziora w
SSSD: https://github.com/lhellebr/sssd/commits/url_in_hbac
Apache module: https://github.com/lhellebr/mod_hbacauthz_pam
FreeIPA: http://pastebin.com/X6H9BTwk
On 04/26/2016 03:56 PM, Petr Spacek wrote:
> On 26.4.2016 15:16, Jan Pazdziora wrote:
>> On Tue, Apr 26, 2016 at 02:16:54PM +0200, Petr Spac
On 26.4.2016 15:16, Jan Pazdziora wrote:
> On Tue, Apr 26, 2016 at 02:16:54PM +0200, Petr Spacek wrote:
* For backwards compatibility, lack of URI in request means any URI is
matched (as described in the design document). Is it a good idea? Any
other solution?
>>>
>>> For other
On Tue, Apr 26, 2016 at 02:16:54PM +0200, Petr Spacek wrote:
> >>
> >> * For backwards compatibility, lack of URI in request means any URI is
> >> matched (as described in the design document). Is it a good idea? Any
> >> other solution?
> >
> > For other attributes in HBAC rules, the lack of a va
On 26.4.2016 12:57, Jan Cholasta wrote:
> Hi,
>
> On 25.4.2016 14:48, Lukáš Hellebrandt wrote:
>> http://www.freeipa.org/page/V4/URI-based_HBAC
>>
>> I have made some important changes to the design document of this
>> proposed feature. The difference is mainly changing regular expression
>> inter
Hi,
On 25.4.2016 14:48, Lukáš Hellebrandt wrote:
http://www.freeipa.org/page/V4/URI-based_HBAC
I have made some important changes to the design document of this
proposed feature. The difference is mainly changing regular expression
interpretation of URI to longest-prefix matching.
This change
http://www.freeipa.org/page/V4/URI-based_HBAC
I have made some important changes to the design document of this
proposed feature. The difference is mainly changing regular expression
interpretation of URI to longest-prefix matching.
This change was done mainly because of upstream's reactions. I v
(Sorry to come late into this thread..)
On Thu, Mar 24, 2016 at 02:49:39PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
> >
> > I really do not like 'excludes'... Was an approach with longest prefix match
> > considered as an option? I do not see it i
On Tue, Mar 29, 2016 at 11:21:05AM +0200, Lukáš Hellebrandt wrote:
>
> Right, we only have to deal with path as the protocol is already in HBAC
> rules.
I don't see protocol in HBAC rules -- there are HBAC (~ PAM) service
name and canonical hostname of the machine. But there isn't protocol
(schem
On Tue, Mar 29, 2016 at 10:59:13AM +0200, Lukáš Hellebrandt wrote:
>
> No change compared to how it works now: if the public part doesn't
> require any authorization at all, the application won't even ask for
> authorization.
In other words, it won't be possible to enable unauthenticated access
c
On 03/24/2016 02:39 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
>>> I tr
On Tue, Mar 29, 2016 at 10:50:08AM +0200, Lukáš Hellebrandt wrote:
> >
> > The benefit of this approach is that if you need to evaluate access
> > to say
> >
> > /application/data/
> >
> > and you already have rule for
> >
> > /application/ [ users/ ]
> >
> > cached e
On 03/24/2016 01:41 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> Could you please elaborate on unauthenticated accesses?
>
> Many web applicatio
On 03/24/2016 01:31 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
>> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
>>> I created a design page for the feature:
>>>
>>> http://www.freeipa.org/page/URI-based-HBAC-design
>>
>> 1. The design page doesn't m
On 03/24/2016 10:31 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> In the document, you say
>
> In all of them [ approaches ], I use only th
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> The way most web applications (that I see as the first use for this
> feature) a
On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
> >
> > Further to Rob's points, what about including the method being used
> > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> > important aspect to
On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
>
> I really do not like 'excludes'... Was an approach with longest prefix match
> considered as an option? I do not see it in the design page.
>
> E.g. imagine we have rules:
> / -> allow anyone
> /users -> allow all authenticated user
Adam Young wrote:
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it
On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote:
>
> I agree it is complicated. While Deny HBAC rules is something we do not want,
> allowing exclusive rules for an HBAC URI rule may be acceptable. This would be
> the same approach we chose with Exclusive Time rules in Time-Based HBAC
On 24.3.2016 14:08, Martin Kosek wrote:
> On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
>> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>>> ...
You present t
On 24.3.2016 11:39, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>>
>> I think case sensitivity might be pretty important too, though might be best
>> left as an exercise for the user.
>
> For protocol and hostname it likely needs to be case insensitive.
>
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> ...
>>> You present two solutions to the problem -- deny rules, and
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Could you please elaborate on unauthenticated accesses?
Many web applications have completely public parts, and then
authenticated s
On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
>
> 1. The design page doesn't mention if mod_authnz_pam will be extended or
> some
On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> ...
> > You present two solutions to the problem -- deny rules, and regular
> > expressions.
>
> For the record, HBA
On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
>
> Further to Rob's points, what about including the method being used
> (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> important aspect to include.
>
> How deep does this rabbit-hole go? :)
The work, while foc
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
...
> You present two solutions to the problem -- deny rules, and regular
> expressions.
For the record, HBAC deny rules is something we will want to avoid. Deny HBAC
rules were remove
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>
> I think case sensitivity might be pretty important too, though might be best
> left as an exercise for the user.
For protocol and hostname it likely needs to be case insensitive.
for the rest of the URL there probably should be a
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
The document says
There is a ne
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
In the document, you say
In all of them [ approaches ], I use only the part of URI
after hostname as hostname and se
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
The way most web applications (that I see as the first use for this
feature) are structured, they have more openly accessible areas a
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Technicality update:
- I changed the name and moved it to consistent location:
http://www.freeipa.org/page/V4/URI-based_HBAC
- I removed "version=0.1
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
> Luká Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
> >
> >
>
> Can you make the ticket reference a link?
>
> Is it expected that a full URI will be used, in
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
1. The design page doesn't mention if mod_authnz_pam will be extended or
some new 'pam_sss' Apache module will be created. Or is it actually
mod_hbaca
Luká Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
Can you make the ticket reference a link?
Is it expected that a full URI will be used, including protocol? Your
early examples are http://path/to/somewhere and later you just
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
--
Lukas Hellebrandt
Associate Quality Engineer
lhell...@redhat.com
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to Fr
> On the patches:
>
> [2] you define a new attribute Url which is fine, but the actual
> attribute is not ok in several way.
>
> - You assigned an OID from a hole in the IPAv2 Attibutes space, it
> should be an assigned ID from the IPAv3 attribute space instead
>
> - You do not namespace the at
On 02/28/2016 11:39 AM, Jakub Hrozek wrote:
> On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote:
>> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
>>> On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
>
On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
> > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > > > Hi, FreeIPA and SSSD communities!
> > > >
>
On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote:
> On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > > Hi, FreeIPA and SSSD communities!
> > >
> > > I am working on adding URI to HBAC as my thesis [1]. The goal is
On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote:
> On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> > Hi, FreeIPA and SSSD communities!
> >
> > I am working on adding URI to HBAC as my thesis [1]. The goal is to
> > control access not only based on (user, host, service), bu
On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote:
> Hi, FreeIPA and SSSD communities!
>
> I am working on adding URI to HBAC as my thesis [1]. The goal is to
> control access not only based on (user, host, service), but on (user,
> host, service, resource's URI).
>
> I created a patch f
Greetings, welcome!
On 02/26/2016 01:17 PM, Lukáš Hellebrandt wrote:
...
> Btw, is there some better place to share patches than a pasting tool?
> Maybe some form of pull request?
There is :-) Please see advise here:
http://www.freeipa.org/page/Contribute/Code#Submit_a_patch
It has more informa
Hi, FreeIPA and SSSD communities!
I am working on adding URI to HBAC as my thesis [1]. The goal is to
control access not only based on (user, host, service), but on (user,
host, service, resource's URI).
I created a patch for FreeIPA [2] so it is capable of storing URI as
part of HBAC rule. I cre
46 matches
Mail list logo
