On 07/26/2011 06:36 AM, Alexander Bokovoy wrote: > On 26.07.2011 06:23, Alexander Bokovoy wrote: >> I'll send updated patch proposal today. > Here is new patch. > > $ ipa hbactest --help > Usage: ipa [global-options] hbactest [options] > > Options: > -h, --help show this help message and exit > --user=STR User name > --srchost=STR Source host > --host=STR Target host > --service=STR Service > --rules=LIST Rules to test. If not specified, --enabled is assumed > --detail Show which rules are passed, denied, or invalid > --enabled Include all enabled IPA rules into test [default] > --disabled Include all disabled IPA rules into test > > Following modes are implemented by the plugin given (user, source host, > target host, service), attempt to login user coming from source host to > target host's service: > > 1. Use all enabled HBAC rules in IPA database to simulate: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > -------------------- > Access granted: True > -------------------- > > 2. Show detailed summary of how rules were applied: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 3. Test explicitly specified HBAC rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule > > 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --enabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule > passed: allow_all > > 5. Test all disabled HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --disabled > --------------------- > Access granted: False > --------------------- > denied: new-rule > > 6. Test all disabled HBAC rules in IPA database + explicitly specified > rules: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --rules=my-second-rule,myrule --disabled > --------------------- > Access granted: False > --------------------- > denied: my-second-rule, myrule, new-rule > > 7. Test all (enabled and disabled) HBAC rules in IPA database: > $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh > --detail --enabled --disabled > -------------------- > Access granted: True > -------------------- > denied: my-second-rule, my-third-rule, myrule, new-rule > passed: allow_all > >
The tests imply that there are deny rules. We removed them so very soon there would be no deny rules. Should the results of the test show something like: ------------------------------ Access granted : True ------------------------------ Granted by: ------------------------------ X Y Z Or ------------------------------ Access granted : False ------------------------------ Access not granted by any allow rule ------------------------------ (I do not think you have a test for this case...) Or (for backward compatibility) ------------------------------ Access granted : False ------------------------------ Granted by: ------------------------------ X Y Z ------------------------------ Denied by: ------------------------------ A B C This format seems to be more scriptable. You do not need to deal with excaping commas if they are used in the name of the rule. But I do not insist - this is just an example of potential output. Rob, Martin do you have any comments, suggestions? > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel