On Mon, Feb 29, 2016 at 04:23:18PM +0100, Jan Pazdziora wrote: > On Mon, Feb 29, 2016 at 12:44:01PM +0100, Jakub Hrozek wrote: > > > > > E.g., allow every URI that does NOT start with > > > $(hostname)/admin/ . It would be possible if there was finite number of > > > prefixes other than $(hostname)/admin , but it might not be the case. > > > > In this example "hostname" would be an HBAC service. Then there might be > > additional URI rule "/myapp/*" that would be permitted for the 'appusers' > > group and an URI rule "myapp/admin*" that would be permitted for the > > 'appadmins' groups. An attempt to access anything under "myapp/admin" > > would match both URIs, but unless the user requesting access was a > > member of appusers, one of the two rules wouldn't match and access would > > be denied.. > > I don't really like this approach. You won't be able to do an "OR" > operation, granting access to users from group1 and from group2 > (meaning, user in either of those groups but not necessarily in > both). Yes, you likely could create separate nested user group for > that but the problem is, in many environments the application admin > will have enough problems getting the IPA admins create the HBAC > rules for them, but creating the extra user groups might be frowned > upon by their IT department.
I must be missing something, why can't you add both groups to the rule? (The rules with URIs would match with an AND, the objects referenced in the rules already match with an OR..) _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
