[Freeipa-devel] [WIP] Add command to test HBAC rules

Alexander Bokovoy abokovoy at redhat.com
Fri Jul 22 13:54:07 UTC 2011 

Now real patch: adds command, updates API.txt and VERSION files, along
with freeipa.spec.


On 22.07.2011 12:32, Alexander Bokovoy wrote:
> Hi,
> 
> attached please find a first cut of an HBAC tester command to CLI,
> FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386
> 
> The idea behind this plugin is to re-use pyhbac module provided by SSSD
> project which is Python bindings for SSSD's libipa_hbac code used for
> actual HBAC rule execution. This requires libipa_hbac-python package.
> 
> There are four modes implemented by the plugin given (user, source host,
> target host, service), attempt to login user coming from source host to
> target host's service:
> 
> 1. Use all enabled HBAC rules in IPA database to simulate
> [root at host0 ~]# ipa  hbactest --user=a1a --srchost=foo --host=bar
> --service=ssh
> --------------------
> Access granted: True
> --------------------
> 
> 2. Use all enabled HBAC rules in IPA database + explicitly specified
> (disabled) rules
> [root at host0 ~]# ipa  hbactest --user=a1a --srchost=foo --host=bar
> --service=ssh --rules=my-second-rule
> --------------------
> Access granted: True
> --------------------
> 
> 3. Use only explicitly specified HBAC rules
> [root at host0 ~]# ipa  hbactest --user=a1a --srchost=foo --host=bar
> --service=ssh --rules=my-second-rule,new-rule --validate
> --------------------
> Access granted: True
> --------------------
>   Passed rules: new-rule
>   Denied rules: my-second-rule
> 
> 4. Get detailed result of simulation for all enabled HBAC rules:
> [root at host0 ~]# ipa  hbactest --user=a1a --srchost=foo --host=bar
> --service=ssh  --validate
> --------------------
> Access granted: True
> --------------------
>   Passed rules: allow_all
>   Denied rules: my-second-rule, my-third-rule, myrule
> 
> --validate option forces to run detailed simulation and report per-rule
> results. Results are: passed, denied, error. The latter one is for
> wrongly specified rules which should not be enabled.
> 
> When --validate specified together with --rules, only HBAC rules
> specified on the command line are considered.
> 
> I'm still not sure if running simulation against all disabled HBAC rules
> in databse is worth it.
> 
> 
> 
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeipa-abbra-0007-add-hbactest-command.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110722/171de155/attachment.ksh>

More information about the Freeipa-devel mailing list