Bug 1272214

Summary:	[RFE] Create a local per system report about who can access that IDM client (attestation)
Product:	Red Hat Enterprise Linux 7	Reporter:	Jakub Hrozek <jhrozek>
Component:	sssd	Assignee:	SSSD Maintainers <sssd-maint>
Status:	CLOSED ERRATA	QA Contact:	ipa-qe <ipa-qe>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	atolani, cobrown, dpal, dsirrine, enewland, fcami, fidencio, grajaiya, jfenal, jgalipea, jhrozek, lslebodn, maygupta, mkosek, mzidek, pbrezina, sgoveas
Target Milestone:	rc	Keywords:	FutureFeature
Target Release:	---	Flags:	dsirrine: needinfo+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.16.0-7.el7	Doc Type:	Enhancement
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-10 17:09:10 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1467835

Description Jakub Hrozek 2015-10-15 19:09:17 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2840

Use case:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it.
The reports must contain information about HBAC but does a SUDO report would also be beneficial. This would allow me to pass audits and make sure that right people have right access to systems and applications.

Idea:
Create a utility that would trigger one time enumeration, populate caches and run a report against the cache. That would actually solve do two problems: 
 a. Priming of the cache with the full database
 b. Actually creating a report based on the cached data

We see several inquiries about this capability in recent days.

Comment 5 Jakub Hrozek 2016-11-28 10:36:19 UTC

I agree this is a nice RFE, but I also think we should implement the critical enhancements first.

Comment 6 Mayur 2017-02-17 06:57:18 UTC

Hello Team, 

Do we have any update on this RFE ? 

Regards

Mayur Gupta

Comment 7 Jakub Hrozek 2017-02-17 07:44:32 UTC

(In reply to Mayur from comment #6)
> Hello Team, 
> 
> Do we have any update on this RFE ? 
> 
> Regards
> 
> Mayur Gupta

Not at this point, it's still a stretch goal for 7.4

Comment 21 Martin Kosek 2017-09-19 11:29:36 UTC

Note that the topic of IdM attestation report was split to 3 RFEs:
* Bug 1272214: [RFE] Create a local per system report about who can access that system (attestation) (included SSSD)
* Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server)
* Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) (included in IdM Server)

Comment 22 Martin Kosek 2017-09-19 11:35:23 UTC

Proposed user story for this client part:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it via which means and services.

Comment 23 Jakub Hrozek 2017-09-19 13:37:15 UTC

(In reply to Martin Kosek from comment #22)
> Proposed user story for this client part:
> 
> As an owner of a system I need to know which users have access to a host. I
> want to run something on the host and get a report who can access it via
> which means and services.

At the same time, I think it makes much more sense to concentrate on the server-side report at least for 7.5 (if we can still make it..), I think the client-side report has much less value in a centralized environment.

Comment 36 Fabiano Fidêncio 2017-11-27 20:50:21 UTC

The correct hashes are ...
- master:
* be804178d5e5fee64be2b080e73f4ce7b0074f76
* c6cf752337f5977ce3753b7113dc1a2342c86319
* 2754a8dcfa937d45b024a2e57419248bfd4c4919
* e737cdfa225e0d455c0e574bcb82c2cc16a17d9d
* 6211a202301e6f61d46cdb2bf0be332a70c7fdea
* 3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8

Comment 38 Dan Lavu 2017-12-14 13:13:05 UTC

Verified against sssd-1.16.0-11.el7.x86_64. 


[root@vm-idm-013 db]# sssctl access-report
Missing option: Specify domain name.

Usage: sssctl access-report DOMAIN [OPTIONS...]

Command options:

Help options:
  -?, --help     Show this help message
  --usage        Display brief usage message

[root@vm-idm-013 db]# sssctl access-report testrelm.test
1 rules cached

Rule name: allow_all
	User category: all
	Service category: all

Comment 39 Lukas Slebodnik 2017-12-21 18:34:55 UTC

(In reply to Dan Lavu from comment #38)
> Verified against sssd-1.16.0-11.el7.x86_64. 
> 
> 
> [root@vm-idm-013 db]# sssctl access-report
> Missing option: Specify domain name.
> 
> Usage: sssctl access-report DOMAIN [OPTIONS...]
> 
> Command options:
> 
> Help options:
>   -?, --help     Show this help message
>   --usage        Display brief usage message
> 
> [root@vm-idm-013 db]# sssctl access-report testrelm.test
> 1 rules cached
> 
> Rule name: allow_all
> 	User category: all
> 	Service category: all

I hope there will be more cases covered in integration test :-)

Comment 42 errata-xmlrpc 2018-04-10 17:09:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929