Add hbactest command. https://fedorahosted.org/freeipa/ticket/386

HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
author: Alexander Bokovoy <abokovoy@redhat.com> 2011-07-22 16:30:44 +0300
committer: Rob Crittenden <rcritten@redhat.com> 2011-07-28 18:01:44 -0400
commit: dd296eec13e3b436b0c608fdddd53089ed5c78e5 (patch)
tree: 5e8a1fafd5691ce7b8dcba9e145590f289ac283a /freeipa.spec.in
parent: 442973edc5bffc1e215c22327369f66df7aeec08 (diff)
download: freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.gz
freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.xz
freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 04130352b..778b219c5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -59,6 +59,7 @@ BuildRequires:  python-kerberos
 BuildRequires:  python-rhsm
 BuildRequires:  pyOpenSSL
 BuildRequires:  pylint
+BuildRequires:  libipa_hbac-python
 
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -201,6 +202,7 @@ Requires: python-netaddr >= 0.7.5-3
 %else
 Requires: python-netaddr
 %endif
+Requires: libipa_hbac-python
 
 Obsoletes: ipa-python >= 1.0
 
@@ -511,6 +513,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Tue Jul 26 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.0.90-9
+- Add libipa_hbac-python dependency for hbactest plugin
+
 * Thu Jul 28 2011 Rob Crittenden <rcritten@redhat.com> - 2.0.90-8
 - Set min nvr of pki-ca to 9.0.10 on F-15+ to pick up updated
   caIPAserviceCert.cfg profile
author	Alexander Bokovoy <abokovoy@redhat.com>	2011-07-22 16:30:44 +0300
committer	Rob Crittenden <rcritten@redhat.com>	2011-07-28 18:01:44 -0400
commit	dd296eec13e3b436b0c608fdddd53089ed5c78e5 (patch)
tree	5e8a1fafd5691ce7b8dcba9e145590f289ac283a /freeipa.spec.in
parent	442973edc5bffc1e215c22327369f66df7aeec08 (diff)
download	freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.gz freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.tar.xz freeipa-dd296eec13e3b436b0c608fdddd53089ed5c78e5.zip