Bug 826748 - [RFE] Improve HBAC usability by preventing potential lockout
[RFE] Improve HBAC usability by preventing potential lockout
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
IDM QE LIST
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-30 17:49 EDT by Dmitri Pal
Modified: 2016-02-19 07:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-19 07:03:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dmitri Pal 2012-05-30 17:49:09 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/2263

We currently have one HBAC rule that allows all access. To define a set of rules for the set of the dedicated machines, say web servers of DB hosts one has to tern it off and define riles for the machines he is interested in. But he also needs to define the rule for the rest of the machines or at least for IPA server otherwise even admins would be prevented from logging into IPA hosts. To prevent this situation I suggest in addition to existing HBAC rule we should add another default rule that would allow administrator's group access to the IPA replicas. This means that we also need to have a default and automatically populated host group called "IdM Servers" (or like). This host group should be automatically maintained (replicas should be added to it) when they are prepared or installed (TBD when it is better to do it).

The scope of work:
 1. Have a default host group for replicas created when the first IPA server is installed
 2. Host group is automatically updated when replicas are added. Replica removal might be left to administrator
 3. Have a default HBAC rule that would allow Admin user group full access to the host group defined above.
Comment 2 Martin Kosek 2016-02-19 07:03:59 EST
Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux.

Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX.

To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution.

Note You need to log in before you can comment on or make changes to this bug.