summaryrefslogtreecommitdiffstats
path: root/ipa-python/README
diff options
context:
space:
mode:
authorKarl MacMillan <kmacmill@redhat.com>2007-09-28 16:45:57 -0400
committerKarl MacMillan <kmacmill@redhat.com>2007-09-28 16:45:57 -0400
commit22710a8dce6700cfd3c991d9c0e5425fc7bdea5e (patch)
tree97fa6f6c25899342ad413967ee564985da5b1b90 /ipa-python/README
parent24c22a2ebc3852e880c18b7c572954f0f99ada1d (diff)
Make apache work with selinux
The default configuration of the apache selinux policy doesn't allow apache to connect to the turbogears gui. This sets the correct boolean to allow that connection.
Diffstat (limited to 'ipa-python/README')
0 files changed, 0 insertions, 0 deletions
generated by cgit (git 2.34.1) at 2026-04-25 03:17:59 +0000
01'>101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 
#
# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
#

# pylint: disable=unused-import
import six

from . import Command, Method, Object
from ipalib import api, parameters, output
from ipalib.parameters import DefaultFrom
from ipalib.plugable import Registry
from ipalib.text import _
from ipapython.dn import DN
from ipapython.dnsutil import DNSName

if six.PY3:
    unicode = str

__doc__ = _("""
Simulate use of Host-based access controls

HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups can access a service,
or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
              [--srchost= ] [--sizelimit= ]

 --user, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.
 By default there is a IPA-wide limit to number of entries fetched, you can change it
 with --sizelimit option.

 If --srchost is specified, it will be ignored. It is left because of compatibility reasons only.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --host=bar --service=sshd
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --host=bar --service=sshd           --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --host=bar --service=sshd           --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --host=bar --service=sshd           --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --host=bar --service=sshd           --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all
""")

register = Registry()


@register()
class hbactest(Command):
    __doc__ = _("Simulate use of Host-based access controls")

    takes_options = (
        parameters.Str(
            'user',
            label=_(u'User name'),
        ),
        parameters.Str(
            'sourcehost',
            required=False,
            cli_name='srchost',
            label=_(u'Source host'),
        ),
        parameters.Str(
            'targethost',
            cli_name='host',
            label=_(u'Target host'),
        ),
        parameters.Str(
            'service',
            label=_(u'Service'),
        ),
        parameters.Str(
            'rules',
            required=False,
            multivalue=True,
            label=_(u'Rules to test. If not specified, --enabled is assumed'),
        ),
        parameters.Flag(
            'nodetail',
            required=False,
            label=_(u'Hide details which rules are matched, not matched, or invalid'),
            default=False,
            autofill=True,
        ),
        parameters.Flag(
            'enabled',
            required=False,
            label=_(u'Include all enabled IPA rules into test [default]'),
            default=False,
            autofill=True,
        ),
        parameters.Flag(
            'disabled',
            required=False,
            label=_(u'Include all disabled IPA rules into test'),
            default=False,
            autofill=True,
        ),
        parameters.Int(
            'sizelimit',
            required=False,
            label=_(u'Size Limit'),
            doc=_(u'Maximum number of rules to process when no --rules is specified'),
        ),
    )
    has_output = (
        output.Output(
            'summary',
            (unicode, type(None)),
            doc=_(u'User-friendly description of action performed'),
        ),
        output.Output(
            'warning',
            (list, tuple, type(None)),
            doc=_(u'Warning'),
        ),
        output.Output(
            'matched',
            (list, tuple, type(None)),
            doc=_(u'Matched rules'),
        ),
        output.Output(
            'notmatched',
            (list, tuple, type(None)),
            doc=_(u'Not matched rules'),
        ),
        output.Output(
            'error',
            (list, tuple, type(None)),
            doc=_(u'Non-existent or invalid rules'),
        ),
        output.Output(
            'value',
            bool,
            doc=_(u'Result of simulation'),
        ),
    )
generated by cgit (git 2.34.1) at 2026-04-25 03:17:59 +0000