[Freeipa-devel] [WIP] Add command to test HBAC rules
Rob Crittenden
rcritten at redhat.com
Fri Jul 22 19:47:54 UTC 2011
Alexander Bokovoy wrote:
>
> Now real patch: adds command, updates API.txt and VERSION files, along
> with freeipa.spec.
>
>
> On 22.07.2011 12:32, Alexander Bokovoy wrote:
>> Hi,
>>
>> attached please find a first cut of an HBAC tester command to CLI,
>> FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386
>>
>> The idea behind this plugin is to re-use pyhbac module provided by SSSD
>> project which is Python bindings for SSSD's libipa_hbac code used for
>> actual HBAC rule execution. This requires libipa_hbac-python package.
>>
>> There are four modes implemented by the plugin given (user, source host,
>> target host, service), attempt to login user coming from source host to
>> target host's service:
>>
>> 1. Use all enabled HBAC rules in IPA database to simulate
>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
>> --service=ssh
>> --------------------
>> Access granted: True
>> --------------------
>>
>> 2. Use all enabled HBAC rules in IPA database + explicitly specified
>> (disabled) rules
>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
>> --service=ssh --rules=my-second-rule
>> --------------------
>> Access granted: True
>> --------------------
>>
>> 3. Use only explicitly specified HBAC rules
>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
>> --service=ssh --rules=my-second-rule,new-rule --validate
>> --------------------
>> Access granted: True
>> --------------------
>> Passed rules: new-rule
>> Denied rules: my-second-rule
>>
>> 4. Get detailed result of simulation for all enabled HBAC rules:
>> [root at host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
>> --service=ssh --validate
>> --------------------
>> Access granted: True
>> --------------------
>> Passed rules: allow_all
>> Denied rules: my-second-rule, my-third-rule, myrule
>>
>> --validate option forces to run detailed simulation and report per-rule
>> results. Results are: passed, denied, error. The latter one is for
>> wrongly specified rules which should not be enabled.
>>
>> When --validate specified together with --rules, only HBAC rules
>> specified on the command line are considered.
>>
>> I'm still not sure if running simulation against all disabled HBAC rules
>> in databse is worth it.
For a first shot at writing a IPA plugin this is an excellent start, my
comments are mostly corner cases.
I wanted to see what would happen with an incomplete rule:
$ ipa hbacrule-show test2
Rule name: test2
Enabled: TRUE
$ ipa hbactest --rules=test2
User name: admin
Source host: panther.example.com
Target host: puma.example.com
Service: login
--------------------
Access granted: True
--------------------
I believe this should have failed.
If I pass in --validate with the same input I get:
---------------------
Access granted: False
---------------------
Denied rules: test2
So this is a little confusing. I thought --rules limited the rules that
were considered. Maybe I'm misunderstanding it.
It would also be nice to have a way to validate a rule without having to
supply all the options, sort of a "is this rule even legal?". When first
working with hbac rules it is hard to remember that all parts (users,
services, hosts and sourcehosts) all need to be defined or the rule is
invalid.
You don't need to explicitly include required=True in your Parameters,
it is the default.
In output you can define them as Str instead of List. List is more for
input, it automatically parses comma-separated data.
The text in the examples wraps a fair bit on an 80-character screen.
If you pass in an non-existing rule to --rules it is ignored, at least
with --validate.
I assume that unit tests are coming since this is still a WIP. Writing
one at this point might help with the corner cases.
rob
More information about the Freeipa-devel
mailing list