Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
# Authors: # Pavel Zuna <pzuna@redhat.com> # # Copyright (C) 2009 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>.
Host-based access control
Control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host.
You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future.
Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
The available services and groups of services are controlled by the hbacsvc and hbacsvcgroup plug-ins respectively.
EXAMPLES:
Create a rule, "test1", that grants all users access to the host "server" from anywhere: ipa hbacrule-add --usercat=all --srchostcat=all test1 ipa hbacrule-add-host --hosts=server.example.com test1
Display the properties of a named HBAC rule: ipa hbacrule-show test1
Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbacrule-add --hostcat=all --srchostcat=all john_sshd ipa hbacrule-add-user --users=john john_sshd ipa hbacrule-add-service --hbacsvcs=sshd john_sshd
Create a rule for a new service group. This lets the user john access the FTP service on any machine from any machine: ipa hbacsvcgroup-add ftpers ipa hbacsvc-add sftp ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers ipa hbacrule-add --hostcat=all --srchostcat=all john_ftp ipa hbacrule-add-user --users=john john_ftp ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp
Disable a named HBAC rule: ipa hbacrule-disable test1
Remove a named HBAC rule: ipa hbacrule-del allow_server """)
# AccessTime support is being removed for now. # # You can also control the times that the rule is active. # # The access time(s) of a host are cumulative and are not guaranteed to be # applied in the order displayed. # # Specify that the rule "test1" be active every day between 0800 and 1400: # ipa hbacrule-add-accesstime --time='periodic daily 0800-1400' test1 # # Specify that the rule "test1" be active once, from 10:32 until 10:33 on # December 16, 2010: # ipa hbacrule-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
""" See if options[attribute] is lower-case 'all' in a safe way. """ else: else:
""" HBAC object. """ 'cn', 'ipaenabledflag', 'description', 'usercategory', 'hostcategory', 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', 'memberuser', 'sourcehost', 'memberhost', 'memberservice', 'memberhostgroup', 'externalhost', ] 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'sourcehost': ['host', 'hostgroup'], 'memberservice': ['hbacsvc', 'hbacsvcgroup'], }
Str('cn', cli_name='name', label=_('Rule name'), primary_key=True, ), StrEnum('accessruletype', validate_type, cli_name='type', doc=_('Rule type (allow)'), label=_('Rule type'), values=(u'allow', u'deny'), default=u'allow', autofill=True, exclude='webui', flags=['no_option', 'no_output'], ), # FIXME: {user,host,sourcehost,service}categories should expand in the future StrEnum('usercategory?', cli_name='usercat', label=_('User category'), doc=_('User category the rule applies to'), values=(u'all', ), ), StrEnum('hostcategory?', cli_name='hostcat', label=_('Host category'), doc=_('Host category the rule applies to'), values=(u'all', ), ), StrEnum('sourcehostcategory?', cli_name='srchostcat', label=_('Source host category'), doc=_('Source host category the rule applies to'), values=(u'all', ), ), StrEnum('servicecategory?', cli_name='servicecat', label=_('Service category'), doc=_('Service category the rule applies to'), values=(u'all', ), ), # AccessTime('accesstime?', # cli_name='time', # label=_('Access time'), # ), Str('description?', cli_name='desc', label=_('Description'), ), Flag('ipaenabledflag?', label=_('Enabled'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberuser_user?', label=_('Users'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberuser_group?', label=_('User Groups'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberhost_host?', label=_('Hosts'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberhost_hostgroup?', label=_('Host Groups'), flags=['no_create', 'no_update', 'no_search'], ), Str('sourcehost_host?', label=_('Source Hosts'), flags=['no_create', 'no_update', 'no_search'], ), Str('sourcehost_hostgroup?', label=_('Source Host Groups'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberservice_hbacsvc?', label=_('Services'), flags=['no_create', 'no_update', 'no_search'], ), Str('memberservice_hbacsvcgroup?', label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), )
# HBAC rules are enabled by default
except errors.NotFound: self.obj.handle_not_found(*keys)
raise errors.MutuallyExclusiveError(reason=_("sourcehost category cannot be set to 'all' while there are allowed sourcehosts"))
'%(count)d HBAC rule matched', '%(count)d HBAC rules matched', 0 )
except errors.EmptyModlist: pass except errors.NotFound: self.obj.handle_not_found(cn)
result=True, value=cn, )
except errors.EmptyModlist: pass except errors.NotFound: self.obj.handle_not_found(cn)
result=True, value=cn, )
""" Add an access time to an HBAC rule. """
AccessTime('accesstime', cli_name='time', label=_('Access time'), ), )
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
(dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) entry_attrs.setdefault('accesstime', []).append( options['accesstime'] ) try: ldap.update_entry(dn, entry_attrs) except errors.EmptyModlist: pass except errors.NotFound: self.obj.handle_not_found(cn)
return dict(result=True)
textui.print_name(self.name) textui.print_dashed( 'Added access time "%s" to HBAC rule "%s"' % ( options['accesstime'], cn ) )
#api.register(hbacrule_add_accesstime)
""" Remove access time to HBAC rule. """ AccessTime('accesstime?', cli_name='time', label=_('Access time'), ), )
ldap = self.obj.backend
dn = self.obj.get_dn(cn)
(dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) try: entry_attrs.setdefault('accesstime', []).remove( options['accesstime'] ) ldap.update_entry(dn, entry_attrs) except (ValueError, errors.EmptyModlist): pass except errors.NotFound: self.obj.handle_not_found(cn)
return dict(result=True)
textui.print_name(self.name) textui.print_dashed( 'Removed access time "%s" from HBAC rule "%s"' % ( options['accesstime'], cn ) )
#api.register(hbacrule_remove_accesstime)
except errors.NotFound: self.obj.handle_not_found(*keys) entry_attrs['usercategory'][0].lower() == 'all':
except errors.NotFound: self.obj.handle_not_found(*keys) entry_attrs['hostcategory'][0].lower() == 'all': raise errors.MutuallyExclusiveError(reason="hosts cannot be added when host category='all'")
except errors.NotFound: self.obj.handle_not_found(*keys) entry_attrs['sourcehostcategory'][0].lower() == 'all': raise errors.MutuallyExclusiveError(reason="source hosts cannot be added when sourcehost category='all'")
except errors.NotFound: self.obj.handle_not_found(*keys) entry_attrs['servicecategory'][0].lower() == 'all':
|