[Freeipa-devel] [WIP] Add command to test HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Fri Jul 22 09:32:13 UTC 2011
Hi,
attached please find a first cut of an HBAC tester command to CLI,
FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386
The idea behind this plugin is to re-use pyhbac module provided by SSSD
project which is Python bindings for SSSD's libipa_hbac code used for
actual HBAC rule execution. This requires libipa_hbac-python package.
There are four modes implemented by the plugin given (user, source host,
target host, service), attempt to login user coming from source host to
target host's service:
1. Use all enabled HBAC rules in IPA database to simulate
[root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh
--------------------
Access granted: True
--------------------
2. Use all enabled HBAC rules in IPA database + explicitly specified
(disabled) rules
[root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --rules=my-second-rule
--------------------
Access granted: True
--------------------
3. Use only explicitly specified HBAC rules
[root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --rules=my-second-rule,new-rule --validate
--------------------
Access granted: True
--------------------
Passed rules: new-rule
Denied rules: my-second-rule
4. Get detailed result of simulation for all enabled HBAC rules:
[root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --validate
--------------------
Access granted: True
--------------------
Passed rules: allow_all
Denied rules: my-second-rule, my-third-rule, myrule
--validate option forces to run detailed simulation and report per-rule
results. Results are: passed, denied, error. The latter one is for
wrongly specified rules which should not be enabled.
When --validate specified together with --rules, only HBAC rules
specified on the command line are considered.
I'm still not sure if running simulation against all disabled HBAC rules
in databse is worth it.
--
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: hbactest.py
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110722/4b5e46c9/attachment.ksh>
More information about the Freeipa-devel
mailing list