Christina,
the easiest way to handle your situation is to create a new group for
allowed hosts, add all current hosts then remove the 10 you care about.
Finally set up an auto-membership rule so all new hosts are
automatically added to that group.
You will have to monitor/remove any new "special" server you may add,
but this will work to obtain your "negate" rule in an easily
maintainable way.
HTH,
Simo.
On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users
wrote:
Christian Reiss via FreeIPA-users wrote:
> Hey,
>
> I take it this is not possible an no one does this?
It is not possible. HBAC only provides allow rules.
rob
>
> -Chris.
>
> On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
> > Hey folks,
> >
> > We are running a lot of server, we nearly exhausted and allocated our
> > /29 ipv6 allocation*.
> >
> > Let's say we have 10 really, really important servers that only a
> > handful of people should be able to access. Everyone else not.
> >
> > So I have a fixed group of known "critical servers" and a dynamic,
ever
> > changing group of "the rest". As I have not yet found a
"negate" option
> > what is the smartest way to allow a fixed group to a fixed set of
> > servers, while everyone else has access to everything else but this?
> >
> >
> > Thanks and have a great weekend folks!
> > -Chris.
> >
> > * Alternate facts disclaimer: The given number has been optimized to
> > impress, bedazzle and to intimidate. The real number of host might be
> > substantially smaller.
> >
> >
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc