On ti, 07 heinä 2020, Saurabh Garg via FreeIPA-users wrote:
Hi All,
We have a requirement where we need to give a user access to stop and
start a service like tomcat8 without giving sudo access on that
machine.
I tried adding tomcat8 service (running on an ubuntu host) on the Idm
server using "ipa service-add" command. Later, when I tried creating a
hbac policy to provide access to a user on that service, it doesn't
show up. Is there any other way of providing service level access to a
user on Redhat IdM?
Your first mistake is by mixing Kerberos services and HBAC services.
HBAC service is a name for PAM service configuration file, /etc/pam.d/<name>.
HBAC rules define access to an application that uses a specific PAM
service <name> to identify itself when using PAM stack.
Kerberos service is unrelated to that, completely.
Now, from what you described, you want to allow a user to run
systemctl start|stop|status tomcat8.service
without the user being root. Could you please confirm this?
The interaction between unprivileged user and systemd requires raise of
privileges. systemd uses polkit for this purpose and all collection of
enabled polkit rules consulted. If I'd try to run
systemctl stop sssd
as non-privileged user, I can see an authorization dialog popping up on
my screen and the following in the journal when I cancel the dialog:
polkitd[955]: Operator of unix-session:2 FAILED to authenticate to gain authorization for
action org.freedesktop.systemd1.manage-units for system-bus-name::1.2077 [systemctl stop
sssd] (owned by unix-user:<username>)
The request is evaluated by polkit rules and this is where you can
affect the decision. For example, like these people did it:
https://unix.stackexchange.com/questions/595207/polkit-rule-for-systemd-t...
Quite a few years ago a similar rule was created by Adam Williamson in
his blog:
https://www.happyassassin.net/posts/2014/09/09/freeipa-setting-polkit-pol...
Note the difference: Adam's blog uses addAdminRule() while the
stackexchange's answer uses addRule(). Both described here:
https://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html
and they have different return values.
If you look at the polkit documentation, it has few examples. One
example shows that 'subject' argument to the function defined in
addRule() is an object with a number of methods. One method it has is
inGroup(). This method checks whether a specific user belongs to a POSIX
groups with the name.
So you can combine this information by doing a check for a service name
and a POSIX group this user belongs to. For example:
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
RegExp('tomcat8(a)[A-Za-z0-9_-]+.service').test(action.lookup("unit")) ===
true &&
subject.inGroup("tomcat-admins")) {
return polkit.Result.YES;
}
});
Sadly, there is no way to directly use HBAC rules for this, save for
using 'polkit.spawn()' method and run some helper that would do PAM
authorization.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland