Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
More explanation required on HBAC -allow_all .
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/hbac-rules.html
It says:
While access must be explicitly granted to users and hosts within the IdM domain, IdM servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain.
To create an IdM server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option.
This chapter needs to begin with an explanation that makes it clear that when setting up HBAC rules step one is to remove the default allow_all rule. And why you must do that.
Because it creates problem to understand the functionality.
http://www.freeipa.org/page/Howto/HBAC_and_allow_all
The above link give clear information about HBAC,
Comment 3Aneta Šteflová Petrová
2016-12-02 07:47:00 UTC
The documentation team will take a thorough look at the whole chapter and review it. We will pay special attention to allow_all to make sure the chapter explains its usage clearly.
One note, removing the rule should not be a step 1 in existing environment. For new installations in early stages it is mostly OK.
Removing would prevent all managed users to login to IPA clients.
So the order should be:
1. define own HBAC rules
2. test them with HBAC test utility
3. disable allow_all HBAC rule
Comment 6Aneta Šteflová Petrová
2017-01-03 10:24:23 UTC
The updated chapter is now pending review.
Comment 7Aneta Šteflová Petrová
2017-01-30 12:45:37 UTC
The updated chapter has been reviewed and acked.
The chapter now clearly states what steps are required to configure HBAC:
1. Create HBAC rules
2. Test the new HBAC rules
3. Disable the default allow_all HBAC rule
Comment 10Aneta Šteflová Petrová
2017-03-14 09:36:00 UTC
The update is now available on the Customer Portal.