Hi,
below is a short design page about a new sssctl command that prints the
IPA HBAC rules cached on an IPA client. If there are no comments, I'll
open a PR against the docs repository.
Generate an access control report for IPA domains
=================================================
Related ticket(s):
------------------
https://pagure.io/SSSD/sssd/issue/2840
Problem statement
-----------------
Some environments require, for auditing reasons, to generate an access
control report on the IPA client itself. While it can be argued that
generating these reports on the IPA servers instead would provide a nicer
experience, the audits requirement sometimes need a tool to be run on the
host.
Use cases
---------
As an owner of an IPA client I need to know which users have access to
this client. I want to run a tool on the host and get a report who can
access it.
The reports must contain information about HBAC rules. In future, SUDO
rules would be nice to have as well.
Overview of the solution
------------------------
A new ``sssctl`` command called ``access-report``. will be added. This
command will only be implemented for IPA domains for now, other domain
types will just return an error.
The functionality of the command will first trigger PAM access control
call to force refresh of the rules and subsequently print all HBAC rule
objects from the cache.
Configuration changes
---------------------
None, only the new tool will be implemented.
Implementation details
----------------------
In order to trigger the refresh of rules by ``sssd_be`` process, the tool
will call ``pam_acct_mgmt(3)``. The ``user`` and ``service`` that are used in
that call will have sensible defaults (e.g. ``admin`` and ``system-auth``)
but the tool will also offer command-line switches to override both.
In addition, the tool will have a switch to operate purely from cache.
For printing the rules, the tool will simply call ``ldb_search``,
retrieve all objects of objectclass ``ipaHbacRule`` and then print the RDN
value of ``memberUser`` (for users and user groups), ``memberService``
(for services and service groups) and ``category``. By default, groups
will not be unrolled, because the ``getgrnam`` interface limits the group
nesting by default, therefore it is better to just print the group name,
not all the group members.
The tool must also print the output in both human-readable and
machine-readable formats. For machine readable output, JSON is the best
choice, since the KCM responder already depends on ``libjansson.``
How To Test
-----------
Run ``sssctl access-report`` on an IPA client with different HBAC rules
stored in the cache. Make sure all options produce the desired results.
How To Debug
------------
Debug messages will be added to the tool itself. To compare the output
with the cache contents, the ``ldbsearch`` tool can be used. The ``ipa``
administration tool can be used to display the server-side HBAC rules.
Authors
-------
* Jakub Hrozek
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
