On Fri, 2016-08-26 at 11:55 +0200, Martin Basti wrote: > > On 26.08.2016 11:43, Jan Cholasta wrote: > > Hi, > > > > On 11.8.2016 12:34, Stanislav Laznicka wrote: > >> Hello, > >> > >> I updated the design of the Time-Based HBAC Policies according to the > >> discussion we led here earlier. Please check the design page > >> http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest > >> changes are in the Implementation and Feature Management sections. I > >> also added a short How to Use section. > > > > 1) Please use the 'ipa' prefix for new attributes: memberTimeRule -> > > ipaMemberTimeRule > > > > > > 2) Source hosts are deprecated and thus should be removed from > > ipaHBACRuleV2. > > > > > > 3) Since time rules are defined by memberTimeRule, accessTime should > > be removed from ipaHBACRuleV2. > > ad 2) 3) > > Because backward compatibility, ipaHBACRuleV2 must contain all > attributes from ipaHBACRule as MAY > > With current approach, when timerule is added to HBAC, we just change > objectclass from 'ipahbacrule' to 'ipahbacrulev2' so we keep all > attributes that was defined in older HBAC. Removing any attrs from > ipaHBACRuleV2 can cause schema violation.
Is there a good reason to "change" the objectclass instead of just "adding" to it ? Are v1 and v2 "incompatible" at the object lvl ? (Sorry I probably knew the answer last I looked at it but I somehow forgot). > I'm not sure if want to handle this in code (removing deprecated > attributes from HBAC entry when timerule is added) > > I realized that AccessTime is MUST for 'ipahbacrule', so when timerule > ('ipahbacrulev2') is removed and somebody deleted accesstime we have to > add it back. What is it set to these days ? Simo. > > > > > > > > 4) The CLI sections needs more work, especially for non-standard > > commands like timerule-test. > > > >> > >> On the link below is a PROTOTYPE-patched FreeIPA that covers most of the > >> CLI functionality (except for the creation of iCalendar strings from > >> options) for better illustration of the design. > >> > >> https://github.com/stlaz/freeipa/tree/timerules_2 > >> > >> I will add FreeIPA people that recently had some say about this to CC so > >> that we can get the discussion flowing. > > > > Honza > > > -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code