On 08/05/2015 02:32 PM, Martin Kosek wrote: > On 08/05/2015 12:53 PM, Tomas Babej wrote: >> >> >> On 08/04/2015 03:13 PM, Florian Crouzat wrote: >>> Hey, >>> >>> For security reason (mostly PCI-DSS) I have to print and sign-off access >>> formular for every users, and also to maintain these formulars in time >>> which means that every time I add a host to a hostgroup for example, I >>> should reprint all access formulars for users with access to this >>> hostgroup... >>> >>> I was wondering if it was possible to develop a feature that would allow >>> one to select a user(s) from GUI and generate a csv/pdf/whatever file >>> with all direct and indirect memberships/access for HBAC, groups and >>> sudo-rule for the selected user(s). >>> >>> Maybe a first step would be to script something around ipa CLI commands >>> (not sure if possible to dig into HBAC and groups from CLI though). >>> >>> What are your thoughts on such need, am I the only one wanting to export >>> my users privileges directly from the software managing these privileges ? >>> >>> Regards, >>> Florian >>> >> >> I'd recommend building a script to generate such a report, I'm not >> really sure it's a feature that would fit directly into the core at this >> state. >> >> You can access IPA's API directly using Python, which can be leveraged >> to generate a report using a suitable Python library, such as reportlab. >> >> Using the API you will get access to all the information available to >> you via the ipa command line tool. >> >> Examples of using Python API are available on the net, for example >> here's one user's submission which landed on the list some time ago: >> >> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py >> >> API can be easily inspected in 4.2 using our new API browser: >> >> https://fedorahosted.org/freeipa/ticket/3129 >> >> If you're on a older release, adding -vv flag to any ipa command will do >> the job as well. >> >> HTH, >> >> Tomas >> > > "ipa user-show USER --all" should show user and all group memberships, > including special roles or permission in the RBAC. > > I am not sure about finding respective HBAC or SUDO rules, hbac-find or > sudorule-find does not offer searching by user. I am afraid that for current > versions, raw "ldapsearch" would need to be used. >
I wrote a shell script (bash+awk) that "do the job" by using "ipa user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa sudorule-show), and groups (ipa group-show) ... But it's ugly and really dependant on the output of these commands. As Tomas said, there is an API and I could probably do it from python but I'm no dev so I'll stick my poor's man script for the moment... I was just hoping that this need would meet other people needs and hopefully justify the addition of a button in the GUI to export all theses informations automagically... But I know it's a lot to ask, and definitely not the top priority. Florian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
