From 92e350ca0a1fda0dc9fe6e073dd7afe19a62d9ec Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 4 May 2010 15:24:54 -0400 Subject: Create default HBAC rule allowing any user to access any host from any host This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all --- install/share/Makefile.am | 1 + install/share/default-hbac.ldif | 14 ++++++++++++++ install/tools/ipa-server-install | 7 +++++-- install/tools/man/ipa-server-install.1 | 3 +++ 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 install/share/default-hbac.ldif (limited to 'install') diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 92d50775..5f353683 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -13,6 +13,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-hbac.ldif \ default-keytypes.ldif \ delegation.ldif \ dns.ldif \ diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif new file mode 100644 index 00000000..541ff0df --- /dev/null +++ b/install/share/default-hbac.ldif @@ -0,0 +1,14 @@ +# default HBAC policy that grants permission to all services +dn: ipauniqueid=$UUID,cn=hbac,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipahbacrule +cn: allow_all +accessruletype: allow +usercategory: all +hostcategory: all +sourcehostcategory: all +ipaenabledflag: TRUE +description: Allow all users to access any host from any host +# ipauniqueid gets added for us by 389-ds + diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 4fd520a6..c7fe6608 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -122,6 +122,9 @@ def parse_options(): help="The starting gid value (default random)") parser.add_option("--subject", dest="subject", default="O=IPA", help="The certificate subject base (default O=IPA)") + parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False, + action="store_true", + help="Don't install allow_all HBAC rule") options, args = parser.parse_args() if not options.setup_dns: @@ -722,11 +725,11 @@ def main(): if options.dirsrv_pkcs12: pkcs12_info = (options.dirsrv_pkcs12, pw_name) try: - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject) + ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow) finally: os.remove(pw_name) else: - ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject) + ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject, hbac_allow=not options.hbac_allow) # Create a kerberos instance krb = krbinstance.KrbInstance(fstore) diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index edd54163..a64a2eba 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -101,6 +101,9 @@ The starting group id number (default random) \fB\-\-subject\fR=\fISUBJECT\fR The certificate subject base (default O=IPA) .TP +\fB\-\-no_hbac_allow\fR +Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production. +.TP .SH "EXIT STATUS" 0 if the installation was successful -- cgit