On 08/05/2015 02:39 PM, Florian Crouzat wrote: > On 08/05/2015 02:32 PM, Martin Kosek wrote: >> On 08/05/2015 12:53 PM, Tomas Babej wrote: >>> >>> >>> On 08/04/2015 03:13 PM, Florian Crouzat wrote: >>>> Hey, >>>> >>>> For security reason (mostly PCI-DSS) I have to print and sign-off access >>>> formular for every users, and also to maintain these formulars in time >>>> which means that every time I add a host to a hostgroup for example, I >>>> should reprint all access formulars for users with access to this >>>> hostgroup... >>>> >>>> I was wondering if it was possible to develop a feature that would allow >>>> one to select a user(s) from GUI and generate a csv/pdf/whatever file >>>> with all direct and indirect memberships/access for HBAC, groups and >>>> sudo-rule for the selected user(s). >>>> >>>> Maybe a first step would be to script something around ipa CLI commands >>>> (not sure if possible to dig into HBAC and groups from CLI though). >>>> >>>> What are your thoughts on such need, am I the only one wanting to export >>>> my users privileges directly from the software managing these privileges ? >>>> >>>> Regards, >>>> Florian >>>> >>> >>> I'd recommend building a script to generate such a report, I'm not >>> really sure it's a feature that would fit directly into the core at this >>> state. >>> >>> You can access IPA's API directly using Python, which can be leveraged >>> to generate a report using a suitable Python library, such as reportlab. >>> >>> Using the API you will get access to all the information available to >>> you via the ipa command line tool. >>> >>> Examples of using Python API are available on the net, for example >>> here's one user's submission which landed on the list some time ago: >>> >>> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py >>> >>> API can be easily inspected in 4.2 using our new API browser: >>> >>> https://fedorahosted.org/freeipa/ticket/3129 >>> >>> If you're on a older release, adding -vv flag to any ipa command will do >>> the job as well. >>> >>> HTH, >>> >>> Tomas >>> >> >> "ipa user-show USER --all" should show user and all group memberships, >> including special roles or permission in the RBAC. >> >> I am not sure about finding respective HBAC or SUDO rules, hbac-find or >> sudorule-find does not offer searching by user. I am afraid that for current >> versions, raw "ldapsearch" would need to be used. >> > > I wrote a shell script (bash+awk) that "do the job" by using "ipa > user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa > sudorule-show), and groups (ipa group-show) ... But it's ugly and really > dependant on the output of these commands.
Right, this is not ideal and you may hit speed problems when you have hundreds of SUDO or HBAC rules. So as I said, it may be better to do "ldapsearch" with proper filter to find out all SUDO/HBAC rules for given user, get the name of such rule and if show it with "show" command if needed. > As Tomas said, there is an API and I could probably do it from python > but I'm no dev so I'll stick my poor's man script for the moment... > > I was just hoping that this need would meet other people needs and > hopefully justify the addition of a button in the GUI to export all > theses informations automagically... But I know it's a lot to ask, and > definitely not the top priority. > > Florian > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
