On Mon, Feb 29, 2016 at 12:44:01PM +0100, Jakub Hrozek wrote:
> E.g., allow every URI that does NOT start with
> $(hostname)/admin/ . It would be possible if there was finite number of
> prefixes other than $(hostname)/admin , but it might not be the case.
In this example "hostname" would be an HBAC service. Then there might be
additional URI rule "/myapp/*" that would be permitted for the
'appusers'
group and an URI rule "myapp/admin*" that would be permitted for the
'appadmins' groups. An attempt to access anything under "myapp/admin"
would match both URIs, but unless the user requesting access was a
member of appusers, one of the two rules wouldn't match and access would
be denied..
I don't really like this approach. You won't be able to do an "OR"
operation, granting access to users from group1 and from group2
(meaning, user in either of those groups but not necessarily in
both). Yes, you likely could create separate nested user group for
that but the problem is, in many environments the application admin
will have enough problems getting the IPA admins create the HBAC
rules for them, but creating the extra user groups might be frowned
upon by their IT department.
Ideally the premissions should be able to work with the existing
groups and users.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat