On Tue, 2015-03-24 at 08:40 +0100, Martin Kosek wrote: > On 03/24/2015 08:20 AM, Jakub Hrozek wrote: > > On Tue, Mar 24, 2015 at 08:07:53AM +0100, Martin Kosek wrote: > >> On 03/24/2015 07:16 AM, Jan Cholasta wrote: > >>> Dne 23.3.2015 v 20:17 Standa Láznička napsal(a): > >> ... > >>>>> Given the above, HBAC rules could contain (time, anchor), where anchor > >>>>> is "UTC", "user local time" or "host local time". > >>>> Truth is, it was not really clear to me from the last week's discussion > >>>> whose "Local Time" to use - do we use host's or do we use user's? It > >>>> would make sense to me to use the user's local time. But then you would > >>>> need to really store at least the timezone information with each user > >>>> object. And that information should probably change with user moving > >>>> between different timezones. That's quite a pickle I am in right here. > >>> > >>> IMO whether to use user or host local time depends on organization local > >>> policy, hence my suggestion to support both. > >> > >> I am bit confused, I would like to make sure we are on the same page with > >> regards to Local Time. When the Local Time rule is created, anchor will be > >> set > >> to "Local Time". Then SSSD would simply use host's local time, in whichever > >> time zone the HBAC host is. > > > > Yes, that was my understanding also. > > > >> > >> So this is the default host enforcement. For the user, you want to let SSSD > >> check authenticated user's entry, to see if there is a timezone > >> information? > >> This would of course depend on the information being available. For AD > >> users, > >> you would need to set it in ID Views or similar. > > > > Yes, also in a previous e-mail, there was a suggestion to change > > timezones by admin when the user changes timezones -- I didn't like that > > part, it seems really error prone and tedious. *If* there was this > > choice, it should not be the default, rather the default should also be > > host local time IMO. > > Host local time zone was the original case I expected. Enforcing *user* local > time zone is where this discussion started. Honze proposed making this an > option - leaving us to 3 different time modes: > > * UTC - stored as (time + olson time zone), enforcement is clear > * Host Local Time - stored as (time + Host Local Time), enforcement by > /etc/localtime > * User Local Time - stored as (time + User Local Time), enforcement by ??? > > So the rule may be: > * Employee Foo can access web service Bar only in his work hours > > IMO, it is realistic for an administrator to set the time zone setting in the > employee entry. Of course, it gets tricky when the user starts moving around > the globe... >
Host Based Access Control is about controlling access based on the *HOST*. I do not see any space for user time zones honestly. If and when someone will vehemently ask for 'per-user' time zones we can talk about it. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code