Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1784459

Summary: [RFE] tlog does not allow to exclude some users from session recording
Product: Red Hat Enterprise Linux 8 Reporter: Hemant B Khot <hkhot>
Component: sssdAssignee: jstephen
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: medium Docs Contact: Lucie Vařáková <lmanasko>
Priority: medium    
Version: 8.1CC: atikhono, dlavu, dpal, elpereir, grajaiya, jhrozek, jstephen, lmanasko, lslebodn, mzidek, pbrezina, sbose, spoore, tscherf
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.4.0-1.el8 Doc Type: Enhancement
Doc Text:
.Support for `exclude_users` and `exclude_groups` with `scope=all` in SSSD session recording configuration Red Hat Enterprise 8.4 now provides new SSSD options for defining session recording for large lists of groups or users: . `exclude_users` + A comma-separated list of users to be excluded from recording, only applicable with the `scope=all` configuration option. . `exclude_groups` + A comma-separated list of groups, members of which should be excluded from recording. Only applicable with the `scope=all` configuration option. For more information, refer to the `sssd-session-recording` man page.
 Story Points: ---
Clone Of:
: 1877381 (view as bug list) Environment:
Last Closed: 2021-05-18 15:03:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1881992    
Bug Blocks: 1877381    

Comment 5 Alexey Tikhonov 2020-09-03 15:47:19 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5248

* `master`
  * 733cafd72ee61cee34980da5825b5c09225e1b0f - MAN: Add SR exclude_users and exclude_groups options
  * d947ac7aff2e56c87347d41744b51edee8e13393 - INTG: Add session recording exclude tests
  * 19602d9a8e2e47e668e80d559f2a5a6af3cf97a6 - CACHE_REQ: Support SR exclude options
  * c51a9f6be14aa1ac5b5b685b11394488bf7fb685 - DP: Support SR excludes in initgroups postprocessing
  * 3a3be1cba1522fc43c2f174aff299b5901d9c4a7 - PAM: Rely on sessionRecording attribute
  * 38df7a3bbb872833c8f5278f055008a7c7fe95cd - NSS: Rely on sessionRecording attribute
  * 0049ec8554f489414069ffbfde693fc9577db602 - UTIL: Add support for SR exclude_users exclude_groups
  * a4af77e08bfa967ba21b789270681e29cc2f370a - CONFIG: Add SR exclude_users exclude_groups options
Comment 13 Scott Poore 2020-11-30 18:47:54 UTC 
Verified.

Version ::

sssd-2.4.0-2.el8

Results ::

Verified with automated test run:

2020-11-28T18:07:49+0000 ============================= test session starts ==============================
...
2020-11-28T18:07:50+0000 collecting ... collected 9 items
2020-11-28T18:07:50+0000 
2020-11-28T18:07:50+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_users_and_groups_only 
2020-11-28T18:07:50+0000 -------------------------------- live log setup --------------------------------
2020-11-28T18:07:50+0000 [paramiko.transport] INFO Connected (version 2.0, client OpenSSH_8.0)
2020-11-28T18:07:50+0000 [paramiko.transport] INFO Authentication (publickey) successful!
2020-11-28T18:15:51+0000 [paramiko.transport.sftp] INFO [chan 30] Opened sftp connection (server version 3)
2020-11-28T18:19:34+0000 PASSED                                                                   [ 11%]
2020-11-28T18:24:52+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_with_users_and_groups_empty PASSED [ 22%]
2020-11-28T18:30:10+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_or_groups PASSED [ 33%]
2020-11-28T18:35:29+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_with_no_scope_defined PASSED [ 44%]
2020-11-28T18:38:17+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_with_users_and_groups_defined PASSED [ 55%]
2020-11-28T18:41:05+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_without_users_and_groups_defined PASSED [ 66%]
2020-11-28T18:43:21+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_users_with_different_shells PASSED [ 77%]
2020-11-28T18:46:53+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_exclude_users_and_groups PASSED [ 88%]
2020-11-28T18:50:35+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_excludes_ignored PASSED [100%]
2020-11-28T18:50:35+0000 
2020-11-28T18:50:35+0000 ------ generated xml file: /home/jenkins/tews/session_recording/junit.xml ------
2020-11-28T18:50:35+0000 - generated html file: file:///home/jenkins/tews/session_recording/report.html -
2020-11-28T18:50:35+0000 ========================= 9 passed in 2565.94 seconds ==========================

Important test cases above for this are:

pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_exclude_users_and_groups
pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_excludes_ignored

Both passed so marking this Verified.
Comment 20 errata-xmlrpc 2021-05-18 15:03:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666