On 02/04/2014 05:11 AM, Les Stott wrote:
> Hi,
> 
> Running freeipa 3.0.0-37.el6 on rhel 6.4 and just had a query about HBAC 
> rules and how the global allow_all rule applies.
> 
> I configured a rule for a single host (host1) allowing access via ssh to only 
> a single user (john) via ssh. i.e.
> 
> # ipa hbacrule-show host1_access
>   Rule name: host1_access
>   Description: Only john can access host1
>   Enabled: TRUE
>   Users: john
>   Hosts: host1.domain.com
>   Services: sshd
> 
> When I run the hbac test against the rule, checking another user jane, it 
> works as expected to deny access to jane. But if I include the allow_all rule 
> in the test jane is granted access and can login. I also proved this by 
> actually using ssh to login.
> 
> If I access the host "host1" and remove allow_all from its defined HBAC rules 
> in the web ui, jane can still access host1 via ssh (actually tested login). 
> In the end, for the rule to work as expected (jane to be disallowed access to 
> host1), I've had to modify the allow_all HBAC rule and set it to apply to all 
> hosts except host1.
> 
> # ipa hbacrule-show allow_all
>   Rule name: allow_all
>   User category: all
>   <sourcehostcategory>: all
>   Service category: all
>   Description: Allow all users to access any host from any host
>   Enabled: TRUE
>   Hosts: host2.domain.com, host3.domain.com, host4.domain.com
> 
> Is this how its supposed to be? Or is it a bug in this older version?
> I would have thought that if the host didn't have the hbac rule allow_all 
> applied to it, just the restrictive host1_access rule, that allow_all 
> wouldn't apply.
> 
> Thanks,
> 
> Les


Hello Les,

I am not aware of any recent bugs in HBAC, this is likely a configuration
issue. This is how the default HBAC allow_all looks like:

# ipa hbacrule-show allow_all
  Rule name: allow_all
  User category: all
  Host category: all    <----
  <sourcehostcategory>: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE


"Host category: all" means that the rule is effective for all hosts. By
selectively specifying the hosts, you disabled this selector. Does it help?

Martin

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to