[Freeipa-devel] [WIP] Add command to test HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 26 10:36:02 UTC 2011
On 26.07.2011 06:23, Alexander Bokovoy wrote:
> I'll send updated patch proposal today.
Here is new patch.
$ ipa hbactest --help
Usage: ipa [global-options] hbactest [options]
Options:
-h, --help show this help message and exit
--user=STR User name
--srchost=STR Source host
--host=STR Target host
--service=STR Service
--rules=LIST Rules to test. If not specified, --enabled is assumed
--detail Show which rules are passed, denied, or invalid
--enabled Include all enabled IPA rules into test [default]
--disabled Include all disabled IPA rules into test
Following modes are implemented by the plugin given (user, source host,
target host, service), attempt to login user coming from source host to
target host's service:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
2. Show detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail
--------------------
Access granted: True
--------------------
denied: my-second-rule, my-third-rule, myrule
passed: allow_all
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--detail --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
denied: my-second-rule, myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--detail --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
denied: my-second-rule, my-third-rule, myrule
passed: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--detail --disabled
---------------------
Access granted: False
---------------------
denied: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified
rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--detail --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
denied: my-second-rule, myrule, new-rule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--detail --enabled --disabled
--------------------
Access granted: True
--------------------
denied: my-second-rule, my-third-rule, myrule, new-rule
passed: allow_all
--
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeipa-abbra-0007-2-add-hbactest-command.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110726/aafb08a9/attachment.ksh>
More information about the Freeipa-devel
mailing list