(Sorry to come late into this thread..)
On Thu, Mar 24, 2016 at 02:49:39PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
> >
> > I really do not like 'excludes'... Was an approach with longest prefix match
> > considered as an option? I do not see it i
On Tue, Mar 29, 2016 at 11:21:05AM +0200, Lukáš Hellebrandt wrote:
>
> Right, we only have to deal with path as the protocol is already in HBAC
> rules.
I don't see protocol in HBAC rules -- there are HBAC (~ PAM) service
name and canonical hostname of the machine. But there isn't protocol
(schem
On Tue, Mar 29, 2016 at 10:59:13AM +0200, Lukáš Hellebrandt wrote:
>
> No change compared to how it works now: if the public part doesn't
> require any authorization at all, the application won't even ask for
> authorization.
In other words, it won't be possible to enable unauthenticated access
c
On 03/24/2016 02:39 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
>>> I tr
On Tue, Mar 29, 2016 at 10:50:08AM +0200, Lukáš Hellebrandt wrote:
> >
> > The benefit of this approach is that if you need to evaluate access
> > to say
> >
> > /application/data/
> >
> > and you already have rule for
> >
> > /application/ [ users/ ]
> >
> > cached e
On 03/24/2016 01:41 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> Could you please elaborate on unauthenticated accesses?
>
> Many web applicatio
On 03/24/2016 01:31 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
>> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
>>> I created a design page for the feature:
>>>
>>> http://www.freeipa.org/page/URI-based-HBAC-design
>>
>> 1. The design page doesn't m
On 03/24/2016 10:31 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> In the document, you say
>
> In all of them [ approaches ], I use only th
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> The way most web applications (that I see as the first use for this
> feature) a
On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
> >
> > Further to Rob's points, what about including the method being used
> > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> > important aspect to
On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
>
> I really do not like 'excludes'... Was an approach with longest prefix match
> considered as an option? I do not see it in the design page.
>
> E.g. imagine we have rules:
> / -> allow anyone
> /users -> allow all authenticated user
Adam Young wrote:
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it
On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote:
>
> I agree it is complicated. While Deny HBAC rules is something we do not want,
> allowing exclusive rules for an HBAC URI rule may be acceptable. This would be
> the same approach we chose with Exclusive Time rules in Time-Based HBAC
On 24.3.2016 14:08, Martin Kosek wrote:
> On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
>> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>>> ...
You present t
On 24.3.2016 11:39, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>>
>> I think case sensitivity might be pretty important too, though might be best
>> left as an exercise for the user.
>
> For protocol and hostname it likely needs to be case insensitive.
>
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> ...
>>> You present two solutions to the problem -- deny rules, and
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Could you please elaborate on unauthenticated accesses?
Many web applications have completely public parts, and then
authenticated s
On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
>
> 1. The design page doesn't mention if mod_authnz_pam will be extended or
> some
On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> ...
> > You present two solutions to the problem -- deny rules, and regular
> > expressions.
>
> For the record, HBA
On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
>
> Further to Rob's points, what about including the method being used
> (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> important aspect to include.
>
> How deep does this rabbit-hole go? :)
The work, while foc
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
...
> You present two solutions to the problem -- deny rules, and regular
> expressions.
For the record, HBAC deny rules is something we will want to avoid. Deny HBAC
rules were remove
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>
> I think case sensitivity might be pretty important too, though might be best
> left as an exercise for the user.
For protocol and hostname it likely needs to be case insensitive.
for the rest of the URL there probably should be a
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
The document says
There is a ne
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
In the document, you say
In all of them [ approaches ], I use only the part of URI
after hostname as hostname and se
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
The way most web applications (that I see as the first use for this
feature) are structured, they have more openly accessible areas a
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Technicality update:
- I changed the name and moved it to consistent location:
http://www.freeipa.org/page/V4/URI-based_HBAC
- I removed "version=0.1
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
> Luká Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
> >
> >
>
> Can you make the ticket reference a link?
>
> Is it expected that a full URI will be used, in
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
1. The design page doesn't mention if mod_authnz_pam will be extended or
some new 'pam_sss' Apache module will be created. Or is it actually
mod_hbaca
Luká Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
Can you make the ticket reference a link?
Is it expected that a full URI will be used, including protocol? Your
early examples are http://path/to/somewhere and later you just
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
--
Lukas Hellebrandt
Associate Quality Engineer
lhell...@redhat.com
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to Fr
31 matches
Mail list logo