summaryrefslogtreecommitdiffstats
path: root/freeipa.spec.in
diff options
context:
space:
mode:
authorAlexander Bokovoy <abokovoy@redhat.com>2011-07-22 16:30:44 +0300
committerRob Crittenden <rcritten@redhat.com>2011-07-28 18:01:44 -0400
commitdd296eec13e3b436b0c608fdddd53089ed5c78e5 (patch)
tree5e8a1fafd5691ce7b8dcba9e145590f289ac283a /freeipa.spec.in
parent442973edc5bffc1e215c22327369f66df7aeec08 (diff)
downloadfreeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.zip
freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.gz
freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.xz
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
Diffstat (limited to 'freeipa.spec.in')
-rw-r--r--freeipa.spec.in5
1 files changed, 5 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 0413035..778b219 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -59,6 +59,7 @@ BuildRequires: python-kerberos
BuildRequires: python-rhsm
BuildRequires: pyOpenSSL
BuildRequires: pylint
+BuildRequires: libipa_hbac-python
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -201,6 +202,7 @@ Requires: python-netaddr >= 0.7.5-3
%else
Requires: python-netaddr
%endif
+Requires: libipa_hbac-python
Obsoletes: ipa-python >= 1.0
@@ -511,6 +513,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Tue Jul 26 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.0.90-9
+- Add libipa_hbac-python dependency for hbactest plugin
+
* Thu Jul 28 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.90-8
- Set min nvr of pki-ca to 9.0.10 on F-15+ to pick up updated
caIPAserviceCert.cfg profile