[Freeipa-devel] Exporting users "access formulars"
Florian Crouzat
tech at floriancrouzat.net
Wed Aug 5 12:39:06 UTC 2015
On 08/05/2015 02:32 PM, Martin Kosek wrote:
> On 08/05/2015 12:53 PM, Tomas Babej wrote:
>>
>>
>> On 08/04/2015 03:13 PM, Florian Crouzat wrote:
>>> Hey,
>>>
>>> For security reason (mostly PCI-DSS) I have to print and sign-off access
>>> formular for every users, and also to maintain these formulars in time
>>> which means that every time I add a host to a hostgroup for example, I
>>> should reprint all access formulars for users with access to this
>>> hostgroup...
>>>
>>> I was wondering if it was possible to develop a feature that would allow
>>> one to select a user(s) from GUI and generate a csv/pdf/whatever file
>>> with all direct and indirect memberships/access for HBAC, groups and
>>> sudo-rule for the selected user(s).
>>>
>>> Maybe a first step would be to script something around ipa CLI commands
>>> (not sure if possible to dig into HBAC and groups from CLI though).
>>>
>>> What are your thoughts on such need, am I the only one wanting to export
>>> my users privileges directly from the software managing these privileges ?
>>>
>>> Regards,
>>> Florian
>>>
>>
>> I'd recommend building a script to generate such a report, I'm not
>> really sure it's a feature that would fit directly into the core at this
>> state.
>>
>> You can access IPA's API directly using Python, which can be leveraged
>> to generate a report using a suitable Python library, such as reportlab.
>>
>> Using the API you will get access to all the information available to
>> you via the ipa command line tool.
>>
>> Examples of using Python API are available on the net, for example
>> here's one user's submission which landed on the list some time ago:
>>
>> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py
>>
>> API can be easily inspected in 4.2 using our new API browser:
>>
>> https://fedorahosted.org/freeipa/ticket/3129
>>
>> If you're on a older release, adding -vv flag to any ipa command will do
>> the job as well.
>>
>> HTH,
>>
>> Tomas
>>
>
> "ipa user-show USER --all" should show user and all group memberships,
> including special roles or permission in the RBAC.
>
> I am not sure about finding respective HBAC or SUDO rules, hbac-find or
> sudorule-find does not offer searching by user. I am afraid that for current
> versions, raw "ldapsearch" would need to be used.
>
I wrote a shell script (bash+awk) that "do the job" by using "ipa
user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa
sudorule-show), and groups (ipa group-show) ... But it's ugly and really
dependant on the output of these commands.
As Tomas said, there is an API and I could probably do it from python
but I'm no dev so I'll stick my poor's man script for the moment...
I was just hoping that this need would meet other people needs and
hopefully justify the addition of a button in the GUI to export all
theses informations automagically... But I know it's a lot to ask, and
definitely not the top priority.
Florian
More information about the Freeipa-devel
mailing list