On ti, 20 joulu 2022, Ranbir via FreeIPA-users wrote:
On Tue, 2022-12-20 at 13:08 +1000, Fraser Tweedale via FreeIPA-users
wrote:
I don't see a way around it. But I could be overlooking something.
That's exactly what I was thinking.
It would be nice if you could associate workstations (hosts) to
users directly, then automatically generate/infer HBAC and sudo
rules (subject to domain-wide policy settings). Is it a known RFE?
I haven't searched. Should I create one and if so, where?
FreeIPA does not provide generation capabilities in itself. These things
are specific to individual deployments and their logic is impossible to
automate in a generic way without exposing some kind of a general
purpose language to express it. So we aren't going to implement this
when all you can do is to use ansible-freeipa to define your logic and
actions already.
Either on the host page or for the user where you could select the user
or workstation accordingly to auto create a sudo rule to give the user
admin privilege. I don't think we'd need to see the workstation sudo
rule in the web interface (since it could be a massive list). Just the
switch for it whatever to show that it's enabled would be enough.
For now, we'll have to use a combination of an HBAC rule and a local
sudo rule or create individual sudo rules per user/workstation.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
