(Sorry to come late into this thread..)
On Thu, Mar 24, 2016 at 02:49:39PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
> >
> > I really do not like 'excludes'... Was an approach with longest prefix match
> > considered as an option? I do not see it
On Tue, Mar 29, 2016 at 11:21:05AM +0200, Lukáš Hellebrandt wrote:
>
> Right, we only have to deal with path as the protocol is already in HBAC
> rules.
I don't see protocol in HBAC rules -- there are HBAC (~ PAM) service
name and canonical hostname of the machine. But there isn't protocol
On Tue, Mar 29, 2016 at 10:59:13AM +0200, Lukáš Hellebrandt wrote:
>
> No change compared to how it works now: if the public part doesn't
> require any authorization at all, the application won't even ask for
> authorization.
In other words, it won't be possible to enable unauthenticated access
On 03/24/2016 02:39 PM, Rob Crittenden wrote:
> Adam Young wrote:
>> On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
>>> I
On Tue, Mar 29, 2016 at 10:50:08AM +0200, Lukáš Hellebrandt wrote:
> >
> > The benefit of this approach is that if you need to evaluate access
> > to say
> >
> > /application/data/
> >
> > and you already have rule for
> >
> > /application/ [ users/ ]
> >
> > cached
On 03/24/2016 01:41 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> Could you please elaborate on unauthenticated accesses?
>
> Many web
On 03/24/2016 01:31 PM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
>> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
>>> I created a design page for the feature:
>>>
>>> http://www.freeipa.org/page/URI-based-HBAC-design
>>
>> 1. The design page doesn't
On 03/24/2016 10:31 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> In the document, you say
>
> In all of them [ approaches ], I use only
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> I created a design page for the feature:
>>
>> http://www.freeipa.org/page/URI-based-HBAC-design
>
> The way most web applications (that I see as the first use for this
> feature)
On Thu, Mar 24, 2016 at 01:09:24PM +0100, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
> >
> > Further to Rob's points, what about including the method being used
> > (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> > important aspect
On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote:
>
> I really do not like 'excludes'... Was an approach with longest prefix match
> considered as an option? I do not see it in the design page.
>
> E.g. imagine we have rules:
> / -> allow anyone
> /users -> allow all authenticated
Adam Young wrote:
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it
On Thu, Mar 24, 2016 at 02:08:22PM +0100, Martin Kosek wrote:
>
> I agree it is complicated. While Deny HBAC rules is something we do not want,
> allowing exclusive rules for an HBAC URI rule may be acceptable. This would be
> the same approach we chose with Exclusive Time rules in Time-Based
On 24.3.2016 14:08, Martin Kosek wrote:
> On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
>> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>>> ...
You present
On 24.3.2016 11:39, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>>
>> I think case sensitivity might be pretty important too, though might be best
>> left as an exercise for the user.
>
> For protocol and hostname it likely needs to be case insensitive.
On 03/24/2016 05:43 AM, Jan Pazdziora wrote:
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep
On 03/24/2016 01:24 PM, Jan Pazdziora wrote:
> On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
>> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
>>> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
>> ...
>>> You present two solutions to the problem -- deny rules, and
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Could you please elaborate on unauthenticated accesses?
Many web applications have completely public parts, and then
authenticated
On Wed, Mar 23, 2016 at 06:39:45PM +0100, Petr Vobornik wrote:
> On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> >I created a design page for the feature:
> >
> >http://www.freeipa.org/page/URI-based-HBAC-design
>
> 1. The design page doesn't mention if mod_authnz_pam will be extended or
>
On Thu, Mar 24, 2016 at 12:38:37PM +0100, Martin Kosek wrote:
> On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> > On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> ...
> > You present two solutions to the problem -- deny rules, and regular
> > expressions.
>
> For the record,
On Thu, Mar 24, 2016 at 11:39:17AM +1000, Fraser Tweedale wrote:
>
> Further to Rob's points, what about including the method being used
> (HTTP GET/POST/PUT/PATCH)? In a RESTful world this seems like an
> important aspect to include.
>
> How deep does this rabbit-hole go? :)
The work, while
On 03/24/2016 10:24 AM, Jan Pazdziora wrote:
> On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
...
> You present two solutions to the problem -- deny rules, and regular
> expressions.
For the record, HBAC deny rules is something we will want to avoid. Deny HBAC
rules were
On Wed, Mar 23, 2016 at 11:54:55AM -0400, Rob Crittenden wrote:
>
> I think case sensitivity might be pretty important too, though might be best
> left as an exercise for the user.
For protocol and hostname it likely needs to be case insensitive.
for the rest of the URL there probably should be
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
I try to put separate areas of concerns into separate emails to make
it easy to keep track.
The document says
There is a
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
In the document, you say
In all of them [ approaches ], I use only the part of URI
after hostname as hostname and
On Wed, Mar 23, 2016 at 04:41:49PM +0100, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
The way most web applications (that I see as the first use for this
feature) are structured, they have more openly accessible areas
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
> I created a design page for the feature:
>
> http://www.freeipa.org/page/URI-based-HBAC-design
Technicality update:
- I changed the name and moved it to consistent location:
http://www.freeipa.org/page/V4/URI-based_HBAC
- I removed
On 03/23/2016 04:41 PM, Lukáš Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
1. The design page doesn't mention if mod_authnz_pam will be extended or
some new 'pam_sss' Apache module will be created. Or is it actually
Luká Hellebrandt wrote:
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
Can you make the ticket reference a link?
Is it expected that a full URI will be used, including protocol? Your
early examples are http://path/to/somewhere and later you
I created a design page for the feature:
http://www.freeipa.org/page/URI-based-HBAC-design
--
Lukas Hellebrandt
Associate Quality Engineer
lhell...@redhat.com
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to
30 matches
Mail list logo