Bug 826748

Summary: [RFE] Improve HBAC usability by preventing potential lockout
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jgalipea, mkosek
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-19 12:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2012-05-30 21:49:09 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2263

We currently have one HBAC rule that allows all access. To define a set of rules for the set of the dedicated machines, say web servers of DB hosts one has to tern it off and define riles for the machines he is interested in. But he also needs to define the rule for the rest of the machines or at least for IPA server otherwise even admins would be prevented from logging into IPA hosts. To prevent this situation I suggest in addition to existing HBAC rule we should add another default rule that would allow administrator's group access to the IPA replicas. This means that we also need to have a default and automatically populated host group called "IdM Servers" (or like). This host group should be automatically maintained (replicas should be added to it) when they are prepared or installed (TBD when it is better to do it).

The scope of work:
 1. Have a default host group for replicas created when the first IPA server is installed
 2. Host group is automatically updated when replicas are added. Replica removal might be left to administrator
 3. Have a default HBAC rule that would allow Admin user group full access to the host group defined above.
Comment 2 Martin Kosek 2016-02-19 12:03:59 UTC 
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution.