[Freeipa-devel] [WIP] Add command to test HBAC rules
Dmitri Pal
dpal at redhat.com
Mon Jul 25 13:46:41 UTC 2011
On 07/25/2011 07:59 AM, Alexander Bokovoy wrote:
> On 22.07.2011 23:10, Alexander Bokovoy wrote:
>>> So this is a little confusing. I thought --rules limited the rules that
>>> were considered. Maybe I'm misunderstanding it.
>> --validate + --rules gives limitation, --rules alone adds more rules to
>> the existing test set which is all enabled rules in IPA.
> I reworked a bit command line interface to avoid confusion like that.
>
> # ipa hbactest --help
> Usage: ipa [global-options] hbactest [options]
>
> Options:
> -h, --help show this help message and exit
> --user=STR User name
> --srchost=STR Source host
> --host=STR Target host
> --service=STR Service
> --rules=LIST Rules to test. If not specified, all enabled rules are
> tested
> --detail Detail rule execution
> --all Include all enabled IPA rules into test
>
> Now if you specify --rules, hbactest will only try to simulate login
> using these rules. You would need to add --all to force considering all
> IPA enabled rules.
I like the functionality but --all does not sound right, may be it
should be --enabled or something else.
> When no --rules are specified, simulation is run against all enabled IPA
> rules.
>
> --validate got replaced by --detail which simply tries to run simulation
> one by one and report results for each rule. You can apply it for any
> run, with or without --rules and --all.
May me --detail should something like --each or --checkeach or
--iterate. The expectation about the term "detail" is a bit different.
The functionality seems OK though.
> If --rules contains a name of non-existent rule, it is simply ignored.
> So if I asked to verify against --rule=foobar where there is no such
> rule, Should there be error message for such cases? Right now you'll get
> False (access is not granted) and --detail will not show any rules.
It should be an error IMO. The reason is that you might have miss-typed
something and think you checked the rule that you miss-typed but it
would turn out that you did not.
> Now, the only mode left out is batch verification of all disabled rules
> for purpose of checking their correctness.
The more I think about it the more I lean towards just having --disabled
to include all disabled rules instead of listing them explicitly in
--rules. It is more a convenience aggregation than any different in
behavior.
> Suppose we have a switch
> --show-invalid that takes all IPA rules and runs a simulation request
> against them, reporting the ones that are invalid only.
Invalid in what way? I am not sure we can detect validity of the rules.
The whole point of the tool was to detect whether a real or test user
will be denied or allowed and whether it is expected or not.
> Such a request
> could be done without any specific (user, source host, target host,
> service) tuple because we are only interested in HBAC_EVAL_ERROR return
I am not sure I understand. What kind of condition would return such an
error?
> code which is independent of input parameters. Unfortunately all we can
> tell in this case is that rule is incorrect, without much details.
> Probably some improvement for libipa_hbac is needed, like converting
> request result into a bit field and returning detailed cause of error
> per tuple element.
>
>
> Current version is attached. It still lacks unit tests.
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110725/b8519fc4/attachment.htm>
More information about the Freeipa-devel
mailing list