Bug 983133 - [RFE] new ipa command component like "ipa accesscheck"
Summary: [RFE] new ipa command component like "ipa accesscheck"
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: rawhide
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-10 15:07 UTC by sakodak
Modified: 2023-02-15 13:35 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Feature: I have a need, on occasion, to see who is allowed to access a particular machine, or to check to see what machines a particular user is allowed to connect to. Reason: I have a lot of AIX machines, sssd does not exist for AIX, so I must generate a list of users allowed to connect to any given machine. I would prefer to do this automatically. This would also help in system and user audits. Result (if any):
Clone Of:
Environment:
Last Closed: 2023-02-15 13:34:13 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FREEIPA-9459 0 None None None 2023-02-15 13:35:30 UTC

Description sakodak 2013-07-10 15:07:45 UTC
Description of problem:

Request for enhancement.  I have a need, on occasion, to see who is allowed to access a particular machine, or to check to see what machines a particular user is allowed to connect to.

What I'm asking for is a new function in the ipa command.  The way I envision it would be something like:

ipa accesscheck --user=someuser --hosts

would list all the hosts that someuser has access to.

ipa accesscheck --host=somehost --users

would list all the users allowed to access that host (by default show all services.)

ipa accesscheck --host=somehost --users --service=sshd

would show only users allowed to access somehost through sshd.

Bottom line, I want a list of users allowed to access a given host and a list of hosts a given user is allowed to connect to.  Anything else would be gravy.


Version-Release number of selected component (if applicable):

 n/a


How reproducible:

 n/a

Steps to Reproduce:
1. n/a
2. n/a
3. n/a

Actual results:
 n/a

Expected results:
 n/a

Additional info:
 n/a

Comment 1 Dmitri Pal 2013-07-11 00:10:12 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3775

Comment 2 Alexander Bokovoy 2023-02-15 13:34:13 UTC
I am closing this bug because 'ipa hbactest' tool implements most of this functionality.

-------------------------------------------------------------------
Simulate use of Host-based access controls

HBAC rules control who can access what services on what hosts.
You can use HBAC to control which users or groups can access a service,
or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
              [--sizelimit= ]

 --user, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.
 By default there is a IPA-wide limit to number of entries fetched, you can change it
 with --sizelimit option.

-------------------------------------------------------------------


Note You need to log in before you can comment on or make changes to this bug.