Alexander Bokovoy wrote:
Now real patch: adds command, updates API.txt and VERSION files, along
with freeipa.spec.
On 22.07.2011 12:32, Alexander Bokovoy wrote:
Hi,
attached please find a first cut of an HBAC tester command to CLI,
FreeIPA ticket https://fedorahosted.org/freeipa/ticket/386
The idea behind this plugin is to re-use pyhbac module provided by SSSD
project which is Python bindings for SSSD's libipa_hbac code used for
actual HBAC rule execution. This requires libipa_hbac-python package.
There are four modes implemented by the plugin given (user, source host,
target host, service), attempt to login user coming from source host to
target host's service:
1. Use all enabled HBAC rules in IPA database to simulate
[root@host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh
--------------------
Access granted: True
--------------------
2. Use all enabled HBAC rules in IPA database + explicitly specified
(disabled) rules
[root@host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --rules=my-second-rule
--------------------
Access granted: True
--------------------
3. Use only explicitly specified HBAC rules
[root@host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --rules=my-second-rule,new-rule --validate
--------------------
Access granted: True
--------------------
Passed rules: new-rule
Denied rules: my-second-rule
4. Get detailed result of simulation for all enabled HBAC rules:
[root@host0 ~]# ipa hbactest --user=a1a --srchost=foo --host=bar
--service=ssh --validate
--------------------
Access granted: True
--------------------
Passed rules: allow_all
Denied rules: my-second-rule, my-third-rule, myrule
--validate option forces to run detailed simulation and report per-rule
results. Results are: passed, denied, error. The latter one is for
wrongly specified rules which should not be enabled.
When --validate specified together with --rules, only HBAC rules
specified on the command line are considered.
I'm still not sure if running simulation against all disabled HBAC rules
in databse is worth it.
For a first shot at writing a IPA plugin this is an excellent start, my
comments are mostly corner cases.
I wanted to see what would happen with an incomplete rule:
$ ipa hbacrule-show test2
Rule name: test2
Enabled: TRUE
$ ipa hbactest --rules=test2
User name: admin
Source host: panther.example.com
Target host: puma.example.com
Service: login
--------------------
Access granted: True
--------------------
I believe this should have failed.
If I pass in --validate with the same input I get:
---------------------
Access granted: False
---------------------
Denied rules: test2
So this is a little confusing. I thought --rules limited the rules that
were considered. Maybe I'm misunderstanding it.
It would also be nice to have a way to validate a rule without having to
supply all the options, sort of a "is this rule even legal?". When first
working with hbac rules it is hard to remember that all parts (users,
services, hosts and sourcehosts) all need to be defined or the rule is
invalid.
You don't need to explicitly include required=True in your Parameters,
it is the default.
In output you can define them as Str instead of List. List is more for
input, it automatically parses comma-separated data.
The text in the examples wraps a fair bit on an 80-character screen.
If you pass in an non-existing rule to --rules it is ignored, at least
with --validate.
I assume that unit tests are coming since this is still a WIP. Writing
one at this point might help with the corner cases.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
