On Mon, Oct 30, 2017 at 11:12:18AM +0100, Pavel Březina wrote:
> On 10/24/2017 05:36 PM, Jakub Hrozek wrote:
>> Hi,
>>
>> below is a short design page about a new sssctl command that prints the
>> IPA HBAC rules cached on an IPA client. If there are no comments, I'll
>> open a PR against the docs repository.
>>
>> Generate an access control report for IPA domains
>> =================================================
>>
>> Related ticket(s):
>> ------------------
>>
https://pagure.io/SSSD/sssd/issue/2840
>>
>> Problem statement
>> -----------------
>> Some environments require, for auditing reasons, to generate an access
>> control report on the IPA client itself. While it can be argued that
>> generating these reports on the IPA servers instead would provide a nicer
>> experience, the audits requirement sometimes need a tool to be run on the
>> host.
>>
>> Use cases
>> ---------
>> As an owner of an IPA client I need to know which users have access to
>> this client. I want to run a tool on the host and get a report who can
>> access it.
>>
>> The reports must contain information about HBAC rules. In future, SUDO
>> rules would be nice to have as well.
>>
>> Overview of the solution
>> ------------------------
>> A new ``sssctl`` command called ``access-report``. will be added. This
>> command will only be implemented for IPA domains for now, other domain
>> types will just return an error.
>>
>> The functionality of the command will first trigger PAM access control
>> call to force refresh of the rules and subsequently print all HBAC rule
>> objects from the cache.
>>
>> Configuration changes
>> ---------------------
>> None, only the new tool will be implemented.
>>
>> Implementation details
>> ----------------------
>> In order to trigger the refresh of rules by ``sssd_be`` process, the tool
>> will call ``pam_acct_mgmt(3)``. The ``user`` and ``service`` that are used in
>> that call will have sensible defaults (e.g. ``admin`` and ``system-auth``)
>> but the tool will also offer command-line switches to override both.
>> In addition, the tool will have a switch to operate purely from cache.
>
> I am a little confused here. Is the command also suppose to perform access
> check and print that user admin is allowed to access system-auth service?
No, but it runs a 'dummy' access check to request a refresh of all the rules.
And do you think it is a good idea to also print result of the user's
access check? Otherwise it would be better to provide new dbus method to
only fetch hbac rules so the user information is not necessary for the
command to work.
>
> Or is it only supposed to print all HBAC rules?
Yes.
_______________________________________________
sssd-devel mailing list -- sssd-devel(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-leave(a)lists.fedorahosted.org