Bug 1400666

Summary: Review and update HBAC chapter
Product: Red Hat Enterprise Linux 7 Reporter: Hemant B Khot <hkhot>
Component: doc-Linux_Domain_Identity_Management_GuideAssignee: Aneta Šteflová Petrová <apetrova>
Status: CLOSED CURRENTRELEASE QA Contact: Namita Soman <nsoman>
Severity: medium Docs Contact:
Priority: high    
Version: 7.0CC: mbasti, pvoborni, rcritten, rhel-docs
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 09:36:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Hemant B Khot 2016-12-01 18:20:48 UTC 
Description of problem:

More explanation required on HBAC -allow_all .

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/hbac-rules.html

It says:
While access must be explicitly granted to users and hosts within the IdM domain, IdM servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain.
To create an IdM server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option. 

This chapter needs to begin with an explanation that makes it clear that when setting up HBAC rules step one is to remove the default allow_all rule. And why you must do that.

Because it creates problem to understand the functionality.

http://www.freeipa.org/page/Howto/HBAC_and_allow_all 
The above link give clear information about HBAC,
Comment 3 Aneta Šteflová Petrová 2016-12-02 07:47:00 UTC 
The documentation team will take a thorough look at the whole chapter and review it. We will pay special attention to allow_all to make sure the chapter explains its usage clearly.
Comment 4 Petr Vobornik 2016-12-02 09:33:07 UTC 
One note, removing the rule should not be a step 1 in existing environment. For new installations in early stages it is mostly OK.

Removing would prevent all managed users to login to IPA clients.

So the order should be:

1. define own HBAC rules
2. test them with HBAC test utility
3. disable allow_all HBAC rule
Comment 6 Aneta Šteflová Petrová 2017-01-03 10:24:23 UTC 
The updated chapter is now pending review.
Comment 7 Aneta Šteflová Petrová 2017-01-30 12:45:37 UTC 
The updated chapter has been reviewed and acked.

The chapter now clearly states what steps are required to configure HBAC:
1. Create HBAC rules
2. Test the new HBAC rules
3. Disable the default allow_all HBAC rule
Comment 10 Aneta Šteflová Petrová 2017-03-14 09:36:00 UTC 
The update is now available on the Customer Portal.