[Freeipa-devel] Exporting users "access formulars"

Wed Aug 5 12:45:06 UTC 2015

On 08/05/2015 02:39 PM, Florian Crouzat wrote:
> On 08/05/2015 02:32 PM, Martin Kosek wrote:
>> On 08/05/2015 12:53 PM, Tomas Babej wrote:
>>>
>>>
>>> On 08/04/2015 03:13 PM, Florian Crouzat wrote:
>>>> Hey,
>>>>
>>>> For security reason (mostly PCI-DSS) I have to print and sign-off access
>>>> formular for every users, and also to maintain these formulars in time
>>>> which means that every time I add a host to a hostgroup for example, I
>>>> should reprint all access formulars for users with access to this
>>>> hostgroup...
>>>>
>>>> I was wondering if it was possible to develop a feature that would allow
>>>> one to select a user(s) from GUI and generate a csv/pdf/whatever file
>>>> with all direct and indirect memberships/access for HBAC, groups and
>>>> sudo-rule for the selected user(s).
>>>>
>>>> Maybe a first step would be to script something around ipa CLI commands
>>>> (not sure if possible to dig into HBAC and groups from CLI though).
>>>>
>>>> What are your thoughts on such need, am I the only one wanting to export
>>>> my users privileges directly from the software managing these privileges ?
>>>>
>>>> Regards,
>>>> Florian
>>>>
>>>
>>> I'd recommend building a script to generate such a report, I'm not
>>> really sure it's a feature that would fit directly into the core at this
>>> state.
>>>
>>> You can access IPA's API directly using Python, which can be leveraged
>>> to generate a report using a suitable Python library, such as reportlab.
>>>
>>> Using the API you will get access to all the information available to
>>> you via the ipa command line tool.
>>>
>>> Examples of using Python API are available on the net, for example
>>> here's one user's submission which landed on the list some time ago:
>>>
>>> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py
>>>
>>> API can be easily inspected in 4.2 using our new API browser:
>>>
>>> https://fedorahosted.org/freeipa/ticket/3129
>>>
>>> If you're on a older release, adding -vv flag to any ipa command will do
>>> the job as well.
>>>
>>> HTH,
>>>
>>> Tomas
>>>
>>
>> "ipa user-show USER --all" should show user and all group memberships,
>> including special roles or permission in the RBAC.
>>
>> I am not sure about finding respective HBAC or SUDO rules, hbac-find or
>> sudorule-find does not offer searching by user. I am afraid that for current
>> versions, raw "ldapsearch" would need to be used.
>>
> 
> I wrote a shell script (bash+awk) that "do the job" by using "ipa
> user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa
> sudorule-show), and groups (ipa group-show) ... But it's ugly and really
> dependant on the output of these commands.

Right, this is not ideal and you may hit speed problems when you have hundreds
of SUDO or HBAC rules. So as I said, it may be better to do "ldapsearch" with
proper filter to find out all SUDO/HBAC rules for given user, get the name of
such rule and if show it with "show" command if needed.

> As Tomas said, there is an API and I could probably do it from python
> but I'm no dev so I'll stick my poor's man script for the moment...
> 
> I was just hoping that this need would meet other people needs and
> hopefully justify the addition of a button in the GUI to export all
> theses informations automagically... But I know it's a lot to ask, and
> definitely not the top priority.
> 
> Florian
> 