Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Time-Based HBAC Policies #23

Closed
wants to merge 1 commit into from
Closed

Time-Based HBAC Policies #23

wants to merge 1 commit into from

Conversation

stlaz
Copy link
Contributor

@stlaz stlaz commented Aug 25, 2016

Hello,

My branch adds the basic capabilities for adding time policies to HBAC rules. The policies are represented as separate objects that I call "time rules" which can be added to each HBAC rule. The policies are based on the iCalendar format. You can read more about the implementation on its design page Time-Based Account Policies.

@stlaz stlaz self-assigned this Aug 25, 2016
@stlaz stlaz changed the title Prototype of timerules as LDAP objects Time-Based HBAC Policies Aug 25, 2016
MartinBasti
MartinBasti reviewed Aug 25, 2016
View reviewed changes
VERSION Outdated
IPA_API_VERSION_MINOR=212
# Last change: ab: service: add flag to allow S4U2Self
IPA_API_VERSION_MINOR=213
# added commands for handling time rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please keep the format "# Last change: who: what"

@MartinBasti
Copy link
Contributor

I wrote a few comments.

The most serious issue I found was time rule permissions, we must carefully decide what to do now, otherwise it will hurt us in future.

Would be nice to provide API tests too :)

@stlaz stlaz force-pushed the timerules_2 branch 2 times, most recently from da7e5fa to ba8b909 Compare August 26, 2016 13:04
@stlaz
Added Time Rules functionality to IPA
5098b2f 
Time Rules are rules based on the iCalendar format. They are now
currently used for restriction of access in the HBAC Rules.
To learn more about the time rules, see their design at
http://www.freeipa.org/page/V4/Time-Based_Account_Policies.

https://fedorahosted.org/freeipa/ticket/547
@stlaz
Copy link
Contributor Author

stlaz commented Sep 1, 2016

I pushed the latest changes of the time rules to this pull request. These changes were made according to the discussion on freeipa-devel mailing list, the main change is cutting off some attributes from the ipaHBACRuleV2 objectclass.
Please note that python-icalendar rebase request for Fedora-rawhide still needs to be created as I am waiting for the python-icalendar upstream to ACK my pull request collective/icalendar#196.
Also, all the previous issues from this thread should now be fixed. A new privilege was created and added to the IT Security Specialist role.
API tests are still TODO.

@stlaz stlaz removed their assignment Oct 2, 2017
@slaykovsky slaykovsky added the needs rebase Pull Request cannot be automatically merged - needs to be rebased label Mar 9, 2018
@tiran
Copy link
Member

tiran commented Apr 28, 2020

The PR has been lingering for almost three years. I've attached the patch from the PR to ticket https://pagure.io/freeipa/issue/547.

@tiran tiran closed this Apr 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs rebase Pull Request cannot be automatically merged - needs to be rebased postponed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@stlaz @MartinBasti @tiran @slaykovsky @pvoborni