[Freeipa-devel] Time-based account policies

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 10 14:40:41 UTC 2015 

On Tue, 10 Mar 2015, Martin Kosek wrote:
>On 03/09/2015 07:22 PM, Alexander Bokovoy wrote:
>> On Mon, 09 Mar 2015, Jakub Hrozek wrote:
>>> On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote:
>>>> On 03/09/2015 03:58 PM, Alexander Bokovoy wrote:
>>>> > On Mon, 09 Mar 2015, Martin Kosek wrote:
>>>> ...
>>>> > One of bigger issues we had was lack of versatile ical format parser to
>>>> > handle calendar-like specification of events -- we need to allow
>>>> > importing these ones instead of inventing our own.
>>>>
>>>> Good point. I wonder how rigorous we want to be. iCal is a pretty powerful
>>>> calendaring format. If we want to implement full support for it, it would be
>>>> lot of code both on server side for setting it and on client side for
>>>> evaluating it (CCing Jakub for reference).
>>>>
>>>> AD itself has much simpler UI for setting the access time, a table like that:
>>>> http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg
>>>>
>>>>
>>>> IIRC, they only store the bits of "can login/cannot login" for the time slots.
>>>> That's another alternative.
>>>
>>> I don't think that's what Alexander meant, I don't think the client
>>> library should come anywhere close to the iCal format. We might want to
>>> provide a script to convert an external format, but that's about it.
>>>
>>> I thought we could simply reuse parts of the previous grammar, maybe
>>> simplified. But I agree with Nathaniel (as I stated also in the private
>>> thread) that we should use UTC where possible.
>> Yes and no. Let me go in details a bit.
>>
>> We need iCal support to allow importing events created by external
>> tools. We don't need to use it as internal format.
>
>Can you please share a bit what events you have in mind? We are talking about
>HBAC access rules, so I am not sure what you want to import.
>
>Is this for use cases like - I have a recurring Linux learning lab, I want to
>all participants to be able to log in to this system during the lab run?
>
>This may results in pretty complicated time related rules in HBAC, where you
>may need to deal with reocurrence, exceptions, etc. So far more complex than
>the AD use cases
>(http://www.intelliadmin.com/images/Logon%20Hours%20Windows%20Active%20Directory.jpg).
This is where importing iCal is helpful because it allows you to
outsource the task of creating such event to something else.

Parsing event information would produce a rule definition we would store
and SSSD would apply as HBAC rule. However, we don't need ourselves to
provide a complex UI to define such rules. Instead, we can do a simple
UI to create rules plus a UI to import rules defined in iCal by some
other software. The rest is visualizing HBAC time/date rules which is
separate from dealing with complexity of creating or importing rules.

Additionally, for iCal-based imports we can utilize participants
information from the iCal to automatically set up members of the rule
(based on mail attribute).

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list