Bug 1784459 - [RFE] tlog does not allow to exclude some users from session recording
Summary: [RFE] tlog does not allow to exclude some users from session recording
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.1
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 8.0
Assignee: jstephen
QA Contact: Scott Poore
Lucie Vařáková
URL:
Whiteboard: sync-to-jira
Depends On: 1881992
Blocks: 1877381
TreeView+ depends on / blocked
 
Reported: 2019-12-17 13:55 UTC by Hemant B Khot
Modified: 2021-05-18 15:04 UTC (History)
14 users (show)

Fixed In Version: sssd-2.4.0-1.el8
Doc Type: Enhancement
Doc Text:
.Support for `exclude_users` and `exclude_groups` with `scope=all` in SSSD session recording configuration Red Hat Enterprise 8.4 now provides new SSSD options for defining session recording for large lists of groups or users: . `exclude_users` + A comma-separated list of users to be excluded from recording, only applicable with the `scope=all` configuration option. . `exclude_groups` + A comma-separated list of groups, members of which should be excluded from recording. Only applicable with the `scope=all` configuration option. For more information, refer to the `sssd-session-recording` man page.
Clone Of:
: 1877381 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:03:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5089 0 None closed Enable exclusions in the sssd-session-recording configuration 2021-02-16 07:16:28 UTC

Comment 5 Alexey Tikhonov 2020-09-03 15:47:19 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5248

* `master`
  * 733cafd72ee61cee34980da5825b5c09225e1b0f - MAN: Add SR exclude_users and exclude_groups options
  * d947ac7aff2e56c87347d41744b51edee8e13393 - INTG: Add session recording exclude tests
  * 19602d9a8e2e47e668e80d559f2a5a6af3cf97a6 - CACHE_REQ: Support SR exclude options
  * c51a9f6be14aa1ac5b5b685b11394488bf7fb685 - DP: Support SR excludes in initgroups postprocessing
  * 3a3be1cba1522fc43c2f174aff299b5901d9c4a7 - PAM: Rely on sessionRecording attribute
  * 38df7a3bbb872833c8f5278f055008a7c7fe95cd - NSS: Rely on sessionRecording attribute
  * 0049ec8554f489414069ffbfde693fc9577db602 - UTIL: Add support for SR exclude_users exclude_groups
  * a4af77e08bfa967ba21b789270681e29cc2f370a - CONFIG: Add SR exclude_users exclude_groups options
Comment 13 Scott Poore 2020-11-30 18:47:54 UTC 
Verified.

Version ::

sssd-2.4.0-2.el8

Results ::

Verified with automated test run:

2020-11-28T18:07:49+0000 ============================= test session starts ==============================
...
2020-11-28T18:07:50+0000 collecting ... collected 9 items
2020-11-28T18:07:50+0000 
2020-11-28T18:07:50+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_users_and_groups_only 
2020-11-28T18:07:50+0000 -------------------------------- live log setup --------------------------------
2020-11-28T18:07:50+0000 [paramiko.transport] INFO Connected (version 2.0, client OpenSSH_8.0)
2020-11-28T18:07:50+0000 [paramiko.transport] INFO Authentication (publickey) successful!
2020-11-28T18:15:51+0000 [paramiko.transport.sftp] INFO [chan 30] Opened sftp connection (server version 3)
2020-11-28T18:19:34+0000 PASSED                                                                   [ 11%]
2020-11-28T18:24:52+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_with_users_and_groups_empty PASSED [ 22%]
2020-11-28T18:30:10+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_or_groups PASSED [ 33%]
2020-11-28T18:35:29+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_no_users_with_no_scope_defined PASSED [ 44%]
2020-11-28T18:38:17+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_with_users_and_groups_defined PASSED [ 55%]
2020-11-28T18:41:05+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_without_users_and_groups_defined PASSED [ 66%]
2020-11-28T18:43:21+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_users_with_different_shells PASSED [ 77%]
2020-11-28T18:46:53+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_exclude_users_and_groups PASSED [ 88%]
2020-11-28T18:50:35+0000 pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_excludes_ignored PASSED [100%]
2020-11-28T18:50:35+0000 
2020-11-28T18:50:35+0000 ------ generated xml file: /home/jenkins/tews/session_recording/junit.xml ------
2020-11-28T18:50:35+0000 - generated html file: file:///home/jenkins/tews/session_recording/report.html -
2020-11-28T18:50:35+0000 ========================= 9 passed in 2565.94 seconds ==========================

Important test cases above for this are:

pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_all_exclude_users_and_groups
pytest/session_recording/test_session_recording.py::Test_SssdSessionRecording::test_sssd_record_some_excludes_ignored

Both passed so marking this Verified.
Comment 20 errata-xmlrpc 2021-05-18 15:03:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666
Note You need to log in before you can comment on or make changes to this bug.