Description of problem: Request for enhancement. I have a need, on occasion, to see who is allowed to access a particular machine, or to check to see what machines a particular user is allowed to connect to. What I'm asking for is a new function in the ipa command. The way I envision it would be something like: ipa accesscheck --user=someuser --hosts would list all the hosts that someuser has access to. ipa accesscheck --host=somehost --users would list all the users allowed to access that host (by default show all services.) ipa accesscheck --host=somehost --users --service=sshd would show only users allowed to access somehost through sshd. Bottom line, I want a list of users allowed to access a given host and a list of hosts a given user is allowed to connect to. Anything else would be gravy. Version-Release number of selected component (if applicable): n/a How reproducible: n/a Steps to Reproduce: 1. n/a 2. n/a 3. n/a Actual results: n/a Expected results: n/a Additional info: n/a
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3775
I am closing this bug because 'ipa hbactest' tool implements most of this functionality. ------------------------------------------------------------------- Simulate use of Host-based access controls HBAC rules control who can access what services on what hosts. You can use HBAC to control which users or groups can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming to a service on a named host against existing enabled rules. ipa hbactest --user= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] [--sizelimit= ] --user, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. By default there is a IPA-wide limit to number of entries fetched, you can change it with --sizelimit option. -------------------------------------------------------------------