[Freeipa-devel] [WIP] Add command to test HBAC rules
Dmitri Pal
dpal at redhat.com
Tue Jul 26 19:55:47 UTC 2011
On 07/26/2011 06:36 AM, Alexander Bokovoy wrote:
> On 26.07.2011 06:23, Alexander Bokovoy wrote:
>> I'll send updated patch proposal today.
> Here is new patch.
>
> $ ipa hbactest --help
> Usage: ipa [global-options] hbactest [options]
>
> Options:
> -h, --help show this help message and exit
> --user=STR User name
> --srchost=STR Source host
> --host=STR Target host
> --service=STR Service
> --rules=LIST Rules to test. If not specified, --enabled is assumed
> --detail Show which rules are passed, denied, or invalid
> --enabled Include all enabled IPA rules into test [default]
> --disabled Include all disabled IPA rules into test
>
> Following modes are implemented by the plugin given (user, source host,
> target host, service), attempt to login user coming from source host to
> target host's service:
>
> 1. Use all enabled HBAC rules in IPA database to simulate:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --------------------
> Access granted: True
> --------------------
>
> 2. Show detailed summary of how rules were applied:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail
> --------------------
> Access granted: True
> --------------------
> denied: my-second-rule, my-third-rule, myrule
> passed: allow_all
>
> 3. Test explicitly specified HBAC rules:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --detail --rules=my-second-rule,myrule
> ---------------------
> Access granted: False
> ---------------------
> denied: my-second-rule, myrule
>
> 4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --detail --rules=my-second-rule,myrule --enabled
> --------------------
> Access granted: True
> --------------------
> denied: my-second-rule, my-third-rule, myrule
> passed: allow_all
>
> 5. Test all disabled HBAC rules in IPA database:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --detail --disabled
> ---------------------
> Access granted: False
> ---------------------
> denied: new-rule
>
> 6. Test all disabled HBAC rules in IPA database + explicitly specified
> rules:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --detail --rules=my-second-rule,myrule --disabled
> ---------------------
> Access granted: False
> ---------------------
> denied: my-second-rule, myrule, new-rule
>
> 7. Test all (enabled and disabled) HBAC rules in IPA database:
> $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
> --detail --enabled --disabled
> --------------------
> Access granted: True
> --------------------
> denied: my-second-rule, my-third-rule, myrule, new-rule
> passed: allow_all
>
>
The tests imply that there are deny rules. We removed them so very soon
there would be no deny rules. Should the results of the test show
something like:
------------------------------
Access granted : True
------------------------------
Granted by:
------------------------------
X
Y
Z
Or
------------------------------
Access granted : False
------------------------------
Access not granted by any allow rule
------------------------------
(I do not think you have a test for this case...)
Or (for backward compatibility)
------------------------------
Access granted : False
------------------------------
Granted by:
------------------------------
X
Y
Z
------------------------------
Denied by:
------------------------------
A
B
C
This format seems to be more scriptable. You do not need to deal with
excaping commas if they are used in the name of the rule.
But I do not insist - this is just an example of potential output. Rob,
Martin do you have any comments, suggestions?
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110726/91ca71c7/attachment.htm>
More information about the Freeipa-devel
mailing list