Re: [Freeipa-devel] Exporting users "access formulars"
On 08/05/2015 02:39 PM, Florian Crouzat wrote: > On 08/05/2015 02:32 PM, Martin Kosek wrote: >> On 08/05/2015 12:53 PM, Tomas Babej wrote: >>> >>> >>> On 08/04/2015 03:13 PM, Florian Crouzat wrote: Hey, For security reason (mostly PCI-DSS) I have to print and sign-off access formular for every users, and also to maintain these formulars in time which means that every time I add a host to a hostgroup for example, I should reprint all access formulars for users with access to this hostgroup... I was wondering if it was possible to develop a feature that would allow one to select a user(s) from GUI and generate a csv/pdf/whatever file with all direct and indirect memberships/access for HBAC, groups and sudo-rule for the selected user(s). Maybe a first step would be to script something around ipa CLI commands (not sure if possible to dig into HBAC and groups from CLI though). What are your thoughts on such need, am I the only one wanting to export my users privileges directly from the software managing these privileges ? Regards, Florian >>> >>> I'd recommend building a script to generate such a report, I'm not >>> really sure it's a feature that would fit directly into the core at this >>> state. >>> >>> You can access IPA's API directly using Python, which can be leveraged >>> to generate a report using a suitable Python library, such as reportlab. >>> >>> Using the API you will get access to all the information available to >>> you via the ipa command line tool. >>> >>> Examples of using Python API are available on the net, for example >>> here's one user's submission which landed on the list some time ago: >>> >>> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py >>> >>> API can be easily inspected in 4.2 using our new API browser: >>> >>> https://fedorahosted.org/freeipa/ticket/3129 >>> >>> If you're on a older release, adding -vv flag to any ipa command will do >>> the job as well. >>> >>> HTH, >>> >>> Tomas >>> >> >> "ipa user-show USER --all" should show user and all group memberships, >> including special roles or permission in the RBAC. >> >> I am not sure about finding respective HBAC or SUDO rules, hbac-find or >> sudorule-find does not offer searching by user. I am afraid that for current >> versions, raw "ldapsearch" would need to be used. >> > > I wrote a shell script (bash+awk) that "do the job" by using "ipa > user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa > sudorule-show), and groups (ipa group-show) ... But it's ugly and really > dependant on the output of these commands. Right, this is not ideal and you may hit speed problems when you have hundreds of SUDO or HBAC rules. So as I said, it may be better to do "ldapsearch" with proper filter to find out all SUDO/HBAC rules for given user, get the name of such rule and if show it with "show" command if needed. > As Tomas said, there is an API and I could probably do it from python > but I'm no dev so I'll stick my poor's man script for the moment... > > I was just hoping that this need would meet other people needs and > hopefully justify the addition of a button in the GUI to export all > theses informations automagically... But I know it's a lot to ask, and > definitely not the top priority. > > Florian > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Exporting users "access formulars"
On 08/05/2015 02:32 PM, Martin Kosek wrote: > On 08/05/2015 12:53 PM, Tomas Babej wrote: >> >> >> On 08/04/2015 03:13 PM, Florian Crouzat wrote: >>> Hey, >>> >>> For security reason (mostly PCI-DSS) I have to print and sign-off access >>> formular for every users, and also to maintain these formulars in time >>> which means that every time I add a host to a hostgroup for example, I >>> should reprint all access formulars for users with access to this >>> hostgroup... >>> >>> I was wondering if it was possible to develop a feature that would allow >>> one to select a user(s) from GUI and generate a csv/pdf/whatever file >>> with all direct and indirect memberships/access for HBAC, groups and >>> sudo-rule for the selected user(s). >>> >>> Maybe a first step would be to script something around ipa CLI commands >>> (not sure if possible to dig into HBAC and groups from CLI though). >>> >>> What are your thoughts on such need, am I the only one wanting to export >>> my users privileges directly from the software managing these privileges ? >>> >>> Regards, >>> Florian >>> >> >> I'd recommend building a script to generate such a report, I'm not >> really sure it's a feature that would fit directly into the core at this >> state. >> >> You can access IPA's API directly using Python, which can be leveraged >> to generate a report using a suitable Python library, such as reportlab. >> >> Using the API you will get access to all the information available to >> you via the ipa command line tool. >> >> Examples of using Python API are available on the net, for example >> here's one user's submission which landed on the list some time ago: >> >> https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py >> >> API can be easily inspected in 4.2 using our new API browser: >> >> https://fedorahosted.org/freeipa/ticket/3129 >> >> If you're on a older release, adding -vv flag to any ipa command will do >> the job as well. >> >> HTH, >> >> Tomas >> > > "ipa user-show USER --all" should show user and all group memberships, > including special roles or permission in the RBAC. > > I am not sure about finding respective HBAC or SUDO rules, hbac-find or > sudorule-find does not offer searching by user. I am afraid that for current > versions, raw "ldapsearch" would need to be used. > I wrote a shell script (bash+awk) that "do the job" by using "ipa user-show FOO" and looping over each hbac (ipa hbacrule-show), sudo (ipa sudorule-show), and groups (ipa group-show) ... But it's ugly and really dependant on the output of these commands. As Tomas said, there is an API and I could probably do it from python but I'm no dev so I'll stick my poor's man script for the moment... I was just hoping that this need would meet other people needs and hopefully justify the addition of a button in the GUI to export all theses informations automagically... But I know it's a lot to ask, and definitely not the top priority. Florian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Exporting users "access formulars"
On 08/05/2015 12:53 PM, Tomas Babej wrote: > > > On 08/04/2015 03:13 PM, Florian Crouzat wrote: >> Hey, >> >> For security reason (mostly PCI-DSS) I have to print and sign-off access >> formular for every users, and also to maintain these formulars in time >> which means that every time I add a host to a hostgroup for example, I >> should reprint all access formulars for users with access to this >> hostgroup... >> >> I was wondering if it was possible to develop a feature that would allow >> one to select a user(s) from GUI and generate a csv/pdf/whatever file >> with all direct and indirect memberships/access for HBAC, groups and >> sudo-rule for the selected user(s). >> >> Maybe a first step would be to script something around ipa CLI commands >> (not sure if possible to dig into HBAC and groups from CLI though). >> >> What are your thoughts on such need, am I the only one wanting to export >> my users privileges directly from the software managing these privileges ? >> >> Regards, >> Florian >> > > I'd recommend building a script to generate such a report, I'm not > really sure it's a feature that would fit directly into the core at this > state. > > You can access IPA's API directly using Python, which can be leveraged > to generate a report using a suitable Python library, such as reportlab. > > Using the API you will get access to all the information available to > you via the ipa command line tool. > > Examples of using Python API are available on the net, for example > here's one user's submission which landed on the list some time ago: > > https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py > > API can be easily inspected in 4.2 using our new API browser: > > https://fedorahosted.org/freeipa/ticket/3129 > > If you're on a older release, adding -vv flag to any ipa command will do > the job as well. > > HTH, > > Tomas > "ipa user-show USER --all" should show user and all group memberships, including special roles or permission in the RBAC. I am not sure about finding respective HBAC or SUDO rules, hbac-find or sudorule-find does not offer searching by user. I am afraid that for current versions, raw "ldapsearch" would need to be used. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Exporting users "access formulars"
On 08/04/2015 03:13 PM, Florian Crouzat wrote: > Hey, > > For security reason (mostly PCI-DSS) I have to print and sign-off access > formular for every users, and also to maintain these formulars in time > which means that every time I add a host to a hostgroup for example, I > should reprint all access formulars for users with access to this > hostgroup... > > I was wondering if it was possible to develop a feature that would allow > one to select a user(s) from GUI and generate a csv/pdf/whatever file > with all direct and indirect memberships/access for HBAC, groups and > sudo-rule for the selected user(s). > > Maybe a first step would be to script something around ipa CLI commands > (not sure if possible to dig into HBAC and groups from CLI though). > > What are your thoughts on such need, am I the only one wanting to export > my users privileges directly from the software managing these privileges ? > > Regards, > Florian > I'd recommend building a script to generate such a report, I'm not really sure it's a feature that would fit directly into the core at this state. You can access IPA's API directly using Python, which can be leveraged to generate a report using a suitable Python library, such as reportlab. Using the API you will get access to all the information available to you via the ipa command line tool. Examples of using Python API are available on the net, for example here's one user's submission which landed on the list some time ago: https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py API can be easily inspected in 4.2 using our new API browser: https://fedorahosted.org/freeipa/ticket/3129 If you're on a older release, adding -vv flag to any ipa command will do the job as well. HTH, Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Exporting users "access formulars"
Hey, For security reason (mostly PCI-DSS) I have to print and sign-off access formular for every users, and also to maintain these formulars in time which means that every time I add a host to a hostgroup for example, I should reprint all access formulars for users with access to this hostgroup... I was wondering if it was possible to develop a feature that would allow one to select a user(s) from GUI and generate a csv/pdf/whatever file with all direct and indirect memberships/access for HBAC, groups and sudo-rule for the selected user(s). Maybe a first step would be to script something around ipa CLI commands (not sure if possible to dig into HBAC and groups from CLI though). What are your thoughts on such need, am I the only one wanting to export my users privileges directly from the software managing these privileges ? Regards, Florian -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code