[Freeipa-devel] Time-based account policies
Jakub Hrozek
jhrozek at redhat.com
Tue Mar 10 15:06:01 UTC 2015
On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:
> > This is where importing iCal is helpful because it allows you to
> > outsource the task of creating such event to something else.
> >
> > Parsing event information would produce a rule definition we would store
> > and SSSD would apply as HBAC rule. However, we don't need ourselves to
> > provide a complex UI to define such rules. Instead, we can do a simple
> > UI to create rules plus a UI to import rules defined in iCal by some
> > other software. The rest is visualizing HBAC time/date rules which is
> > separate from dealing with complexity of creating or importing rules.
> >
> > Additionally, for iCal-based imports we can utilize participants
> > information from the iCal to automatically set up members of the rule
> > (based on mail attribute).
> >
>
> Ah, makes sense to me.
>
> With all the possibilities that iCal format offers, we would more or less end
> up storing iCal in HBAC rules (or our own format of iCal). I am just concerned
> it would make a bit complex processing on SSSD side, especially in the security
> sensitive piece for authorization rules.
>
> We may need to use libraries for processing iCal rules, like libical
> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
Is that what Alexander said, though? In his reply, I see:
"Parsing event information would produce a rule definition we would
store and SSSD would apply as HBAC rule".
I don't think iCal dependency is something we want in SSSD, the
rules should be converted from iCal to SSSD format in a layer atop
libipa_hbac..
More information about the Freeipa-devel
mailing list