[Freeipa-devel] Time-based account policies

Alexander Bokovoy abokovoy at redhat.com
Tue Mar 10 16:33:21 UTC 2015 

On Tue, 10 Mar 2015, Gabe Alford wrote:
>On Tue, Mar 10, 2015 at 9:51 AM, Stanislav Láznička <slaz at seznam.cz> wrote:
>
>> On 03/10/2015 04:06 PM, Jakub Hrozek wrote:
>>
>>> On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote:
>>>
>>>> This is where importing iCal is helpful because it allows you to
>>>>> outsource the task of creating such event to something else.
>>>>>
>>>>> Parsing event information would produce a rule definition we would store
>>>>> and SSSD would apply as HBAC rule. However, we don't need ourselves to
>>>>> provide a complex UI to define such rules. Instead, we can do a simple
>>>>> UI to create rules plus a UI to import rules defined in iCal by some
>>>>> other software. The rest is visualizing HBAC time/date rules which is
>>>>> separate from dealing with complexity of creating or importing rules.
>>>>>
>>>>> Additionally, for iCal-based imports we can utilize participants
>>>>> information from the iCal to automatically set up members of the rule
>>>>> (based on mail attribute).
>>>>>
>>>>>  Ah, makes sense to me.
>>>>
>>>> With all the possibilities that iCal format offers, we would more or
>>>> less end
>>>> up storing iCal in HBAC rules (or our own format of iCal). I am just
>>>> concerned
>>>> it would make a bit complex processing on SSSD side, especially in the
>>>> security
>>>> sensitive piece for authorization rules.
>>>>
>>>> We may need to use libraries for processing iCal rules, like libical
>>>> (http://koji.fedoraproject.org/koji/buildinfo?buildID=606329)...
>>>>
>>> Is that what Alexander said, though? In his reply, I see:
>>>      "Parsing event information would produce a rule definition we would
>>>      store and SSSD would apply as HBAC rule".
>>>
>> This is what kind of worried me, too. If I understand it well, this means
>> you would have iCal events such as holidays (these were mentioned before),
>> and you would like to generate HBAC rules based on these events. Those
>> rules would, however, be different for each country (if this is still about
>> holidays) and might collide among user and host groups. Therefore, you
>> would have lots and lots of rules in the end, wouldn't you?
>>
>> I wonder if anyone does that. From what I've seen in AD and 389 Directory
>> Server, time-based rules are being stored in a rather simple manner. I
>> don't mind a more complex solution but I think such exceptions might be
>> little too much. But I might have not understood the idea very well.
>
>
>This is my understanding as well. If using AD as the example, there are two
>ways that timebased rules are configured:
>     1. Permit logon hours during specified timeframe on specified day(s)
>of the week.
>     2. Deny logon hours during specified timeframe on specified day(s) of
>the week.
>
>There is nothing about holidays. I think that implementing holidays and
>special exemptions should be avoided.
Yep. Except that we DENY by default in HBAC rules. So we only handle
ALLOW case already and there are strong reasons not to structure HBAC
rules to provide DENY too.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list