On 02/28/2016 11:42 AM, Jakub Hrozek wrote: > On Fri, Feb 26, 2016 at 02:03:37PM +0100, Lukáš Hellebrandt wrote: >>> First question I have is that the URLs only match on complete string >>> match. From past conversations I thought we wanted to add a more >>> granular evaluation..? >> >> I am planning to interpret URI as a prefix. However, there might be >> problem getting enough granularity because FreeIPA has dropped DENY >> rules: it will be hard to get some behaviors, e.g. "Allow access to >> hostname/* but not to hostname/admin/*". I do not know yet how to solve >> this. > > Wouldn't it help if all rules that match URI-wise need to allow the > person requesting the resource? > I am not sure if I understand. The problem is, I do not know how to make a rule to allow "everything except". E.g., allow every URI that does NOT start with $(hostname)/admin/ . It would be possible if there was finite number of prefixes other than $(hostname)/admin , but it might not be the case.
-- Lukas Hellebrandt Associate Quality Engineer lhell...@redhat.com _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org