That helps, and I read http://www.freeipa.org/page/Howto/HBAC_and_allow_all Now I understand how it works and the expected behaviour.
Thanks. Les -----Original Message----- From: Martin Kosek [mailto:mko...@redhat.com] Sent: Tuesday, 4 February 2014 6:30 PM To: Les Stott; freeipa-users@redhat.com Subject: Re: [Freeipa-users] HBAC - expected behaviour? On 02/04/2014 05:11 AM, Les Stott wrote: > Hi, > > Running freeipa 3.0.0-37.el6 on rhel 6.4 and just had a query about HBAC > rules and how the global allow_all rule applies. > > I configured a rule for a single host (host1) allowing access via ssh to only > a single user (john) via ssh. i.e. > > # ipa hbacrule-show host1_access > Rule name: host1_access > Description: Only john can access host1 > Enabled: TRUE > Users: john > Hosts: host1.domain.com > Services: sshd > > When I run the hbac test against the rule, checking another user jane, it > works as expected to deny access to jane. But if I include the allow_all rule > in the test jane is granted access and can login. I also proved this by > actually using ssh to login. > > If I access the host "host1" and remove allow_all from its defined HBAC rules > in the web ui, jane can still access host1 via ssh (actually tested login). > In the end, for the rule to work as expected (jane to be disallowed access to > host1), I've had to modify the allow_all HBAC rule and set it to apply to all > hosts except host1. > > # ipa hbacrule-show allow_all > Rule name: allow_all > User category: all > <sourcehostcategory>: all > Service category: all > Description: Allow all users to access any host from any host > Enabled: TRUE > Hosts: host2.domain.com, host3.domain.com, host4.domain.com > > Is this how its supposed to be? Or is it a bug in this older version? > I would have thought that if the host didn't have the hbac rule allow_all > applied to it, just the restrictive host1_access rule, that allow_all > wouldn't apply. > > Thanks, > > Les Hello Les, I am not aware of any recent bugs in HBAC, this is likely a configuration issue. This is how the default HBAC allow_all looks like: # ipa hbacrule-show allow_all Rule name: allow_all User category: all Host category: all <---- <sourcehostcategory>: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE "Host category: all" means that the rule is effective for all hosts. By selectively specifying the hosts, you disabled this selector. Does it help? Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users