Bug 1272214 - [RFE] Create a local per system report about who can access that IDM client (attestation)
[RFE] Create a local per system report about who can access that IDM client (...
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: SSSD Maintainers
Dan Lavu
: FutureFeature
Depends On:
Blocks: 1467835
  Show dependency treegraph
 
Reported: 2015-10-15 15:09 EDT by Jakub Hrozek
Modified: 2017-12-21 13:34 EST (History)
16 users (show)

See Also:
Fixed In Version: sssd-1.16.0-7.el7
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
dsirrine: needinfo+


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2015-10-15 15:09:17 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2840

Use case:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it.
The reports must contain information about HBAC but does a SUDO report would also be beneficial. This would allow me to pass audits and make sure that right people have right access to systems and applications.

Idea:
Create a utility that would trigger one time enumeration, populate caches and run a report against the cache. That would actually solve do two problems: 
 a. Priming of the cache with the full database
 b. Actually creating a report based on the cached data

We see several inquiries about this capability in recent days.
Comment 5 Jakub Hrozek 2016-11-28 05:36:19 EST
I agree this is a nice RFE, but I also think we should implement the critical enhancements first.
Comment 6 Mayur 2017-02-17 01:57:18 EST
Hello Team, 

Do we have any update on this RFE ? 

Regards

Mayur Gupta
Comment 7 Jakub Hrozek 2017-02-17 02:44:32 EST
(In reply to Mayur from comment #6)
> Hello Team, 
> 
> Do we have any update on this RFE ? 
> 
> Regards
> 
> Mayur Gupta

Not at this point, it's still a stretch goal for 7.4
Comment 21 Martin Kosek 2017-09-19 07:29:36 EDT
Note that the topic of IdM attestation report was split to 3 RFEs:
* Bug 1272214: [RFE] Create a local per system report about who can access that system (attestation) (included SSSD)
* Bug 1491802 - [RFE] Central report who can ran which sudo commands on which systems (attestation) (included in IdM Server)
* Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) (included in IdM Server)
Comment 22 Martin Kosek 2017-09-19 07:35:23 EDT
Proposed user story for this client part:

As an owner of a system I need to know which users have access to a host. I want to run something on the host and get a report who can access it via which means and services.
Comment 23 Jakub Hrozek 2017-09-19 09:37:15 EDT
(In reply to Martin Kosek from comment #22)
> Proposed user story for this client part:
> 
> As an owner of a system I need to know which users have access to a host. I
> want to run something on the host and get a report who can access it via
> which means and services.

At the same time, I think it makes much more sense to concentrate on the server-side report at least for 7.5 (if we can still make it..), I think the client-side report has much less value in a centralized environment.
Comment 36 Fabiano Fidêncio 2017-11-27 15:50:21 EST
The correct hashes are ...
- master:
* be804178d5e5fee64be2b080e73f4ce7b0074f76
* c6cf752337f5977ce3753b7113dc1a2342c86319
* 2754a8dcfa937d45b024a2e57419248bfd4c4919
* e737cdfa225e0d455c0e574bcb82c2cc16a17d9d
* 6211a202301e6f61d46cdb2bf0be332a70c7fdea
* 3ee8659bc6a77a78bc6c61b9650a36bd18ea95c8
Comment 38 Dan Lavu 2017-12-14 08:13:05 EST
Verified against sssd-1.16.0-11.el7.x86_64. 


[root@vm-idm-013 db]# sssctl access-report
Missing option: Specify domain name.

Usage: sssctl access-report DOMAIN [OPTIONS...]

Command options:

Help options:
  -?, --help     Show this help message
  --usage        Display brief usage message

[root@vm-idm-013 db]# sssctl access-report testrelm.test
1 rules cached

Rule name: allow_all
	User category: all
	Service category: all
Comment 39 Lukas Slebodnik 2017-12-21 13:34:55 EST
(In reply to Dan Lavu from comment #38)
> Verified against sssd-1.16.0-11.el7.x86_64. 
> 
> 
> [root@vm-idm-013 db]# sssctl access-report
> Missing option: Specify domain name.
> 
> Usage: sssctl access-report DOMAIN [OPTIONS...]
> 
> Command options:
> 
> Help options:
>   -?, --help     Show this help message
>   --usage        Display brief usage message
> 
> [root@vm-idm-013 db]# sssctl access-report testrelm.test
> 1 rules cached
> 
> Rule name: allow_all
> 	User category: all
> 	Service category: all

I hope there will be more cases covered in integration test :-)

Note You need to log in before you can comment on or make changes to this bug.