[Freeipa-users] Temporary permissions

Wed, 05 Oct 2022 07:28:45 -0700

We would like to have the possiblilty to give certain AD users temporary HBAC and sudo permissions. 

My first idea looks something like that:

   grantTime = 3600
   groupName = "0_temp_permissions_" + str(uuid.uuid4())
   hbacName = groupName
   sudoRuleName = groupName
   externalGroupName = groupName + "_external"
client.group_add(externalGroupName, o_description="TestDesc", o_external=True) client.group_add_member(externalGroupName, o_ipaexternalmember="[email protected]") 
   client.group_add(groupName, o_description="TestDesc", o_external=False)
   client.group_add_member(groupName, o_group=externalGroupName)
   client.hbacrule_add(hbacName)
   client.hbacrule_add_user(hbacName, o_group=groupName)
   client.hbacrule_add_host(hbacName, o_host="someipahost.mydomain.at")
   client.hbacrule_add_service(hbacName, o_hbacsvc="sshd")
   client.hbacrule_add_service(hbacName, o_hbacsvc="sudo")
   client.hbacrule_add_service(hbacName, o_hbacsvc="sudo-i")
   #client.hbacrule_add_host(hbacName, o_hostgroup="somegroupname")

   client.sudorule_add(sudoRuleName, o_cmdcategory="all")
   client.sudorule_add_host(sudoRuleName, o_host="someipahost.mydomain.at")
   client.sudorule_add_user(sudoRuleName, o_group=groupName)
   client.sudorule_add_option(sudoRuleName, o_ipasudoopt='!authenticate')
   #client.sudorule_add_host(sudoRuleName, o_hostgroup="somehostgroupname")

   time.sleep(grantTime)

   client.sudorule_del(sudoRuleName)
   client.hbacrule_del(hbacName)
   client.group_del(groupName)
   client.group_del(externalGroupName)
Today I thought maybe there are other IPA users out there who would need such a solution. 

What are the IPA devs thinking about such an extension?

Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to