mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Create default HBAC rule allowing any user to access any host from any host
This is to make initial installation and testing easier. Use the --no_hbac_allow option on the command-line to disable this when doing an install. To remove it from a running server do: ipa hbac-del allow_all
This commit is contained in:
parent
a3d1b17559
commit
92e350ca0a
@ -13,6 +13,7 @@ app_DATA = \
|
|||||||
bootstrap-template.ldif \
|
bootstrap-template.ldif \
|
||||||
caJarSigningCert.cfg.template \
|
caJarSigningCert.cfg.template \
|
||||||
default-aci.ldif \
|
default-aci.ldif \
|
||||||
|
default-hbac.ldif \
|
||||||
default-keytypes.ldif \
|
default-keytypes.ldif \
|
||||||
delegation.ldif \
|
delegation.ldif \
|
||||||
dns.ldif \
|
dns.ldif \
|
||||||
|
14
install/share/default-hbac.ldif
Normal file
14
install/share/default-hbac.ldif
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# default HBAC policy that grants permission to all services
|
||||||
|
dn: ipauniqueid=$UUID,cn=hbac,$SUFFIX
|
||||||
|
changetype: add
|
||||||
|
objectclass: ipaassociation
|
||||||
|
objectclass: ipahbacrule
|
||||||
|
cn: allow_all
|
||||||
|
accessruletype: allow
|
||||||
|
usercategory: all
|
||||||
|
hostcategory: all
|
||||||
|
sourcehostcategory: all
|
||||||
|
ipaenabledflag: TRUE
|
||||||
|
description: Allow all users to access any host from any host
|
||||||
|
# ipauniqueid gets added for us by 389-ds
|
||||||
|
|
@ -122,6 +122,9 @@ def parse_options():
|
|||||||
help="The starting gid value (default random)")
|
help="The starting gid value (default random)")
|
||||||
parser.add_option("--subject", dest="subject", default="O=IPA",
|
parser.add_option("--subject", dest="subject", default="O=IPA",
|
||||||
help="The certificate subject base (default O=IPA)")
|
help="The certificate subject base (default O=IPA)")
|
||||||
|
parser.add_option("--no_hbac_allow", dest="hbac_allow", default=False,
|
||||||
|
action="store_true",
|
||||||
|
help="Don't install allow_all HBAC rule")
|
||||||
options, args = parser.parse_args()
|
options, args = parser.parse_args()
|
||||||
|
|
||||||
if not options.setup_dns:
|
if not options.setup_dns:
|
||||||
@ -722,11 +725,11 @@ def main():
|
|||||||
if options.dirsrv_pkcs12:
|
if options.dirsrv_pkcs12:
|
||||||
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
|
pkcs12_info = (options.dirsrv_pkcs12, pw_name)
|
||||||
try:
|
try:
|
||||||
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject)
|
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info, subject_base=options.subject, hbac_allow=not options.hbac_allow)
|
||||||
finally:
|
finally:
|
||||||
os.remove(pw_name)
|
os.remove(pw_name)
|
||||||
else:
|
else:
|
||||||
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject)
|
ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, uidstart=options.uidstart, gidstart=options.gidstart, subject_base=options.subject, hbac_allow=not options.hbac_allow)
|
||||||
|
|
||||||
# Create a kerberos instance
|
# Create a kerberos instance
|
||||||
krb = krbinstance.KrbInstance(fstore)
|
krb = krbinstance.KrbInstance(fstore)
|
||||||
|
@ -101,6 +101,9 @@ The starting group id number (default random)
|
|||||||
\fB\-\-subject\fR=\fISUBJECT\fR
|
\fB\-\-subject\fR=\fISUBJECT\fR
|
||||||
The certificate subject base (default O=IPA)
|
The certificate subject base (default O=IPA)
|
||||||
.TP
|
.TP
|
||||||
|
\fB\-\-no_hbac_allow\fR
|
||||||
|
Don't install allow_all HBAC rule. This rule lets any user from any host access any service on any other host. It is expected that users will remove this rule before moving to production.
|
||||||
|
.TP
|
||||||
.SH "EXIT STATUS"
|
.SH "EXIT STATUS"
|
||||||
0 if the installation was successful
|
0 if the installation was successful
|
||||||
|
|
||||||
|
@ -38,7 +38,7 @@ from ldap.dn import escape_dn_chars
|
|||||||
from ipaserver import ipaldap
|
from ipaserver import ipaldap
|
||||||
from ipaserver.install import ldapupdate
|
from ipaserver.install import ldapupdate
|
||||||
from ipaserver.install import httpinstance
|
from ipaserver.install import httpinstance
|
||||||
from ipalib import util
|
from ipalib import util, uuid
|
||||||
|
|
||||||
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
|
SERVER_ROOT_64 = "/usr/lib64/dirsrv"
|
||||||
SERVER_ROOT_32 = "/usr/lib/dirsrv"
|
SERVER_ROOT_32 = "/usr/lib/dirsrv"
|
||||||
@ -157,7 +157,7 @@ class DsInstance(service.Service):
|
|||||||
else:
|
else:
|
||||||
self.suffix = None
|
self.suffix = None
|
||||||
|
|
||||||
def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None):
|
def create_instance(self, ds_user, realm_name, host_name, domain_name, dm_password, pkcs12_info=None, self_signed_ca=False, uidstart=1100, gidstart=1100, subject_base=None, hbac_allow=True):
|
||||||
self.ds_user = ds_user
|
self.ds_user = ds_user
|
||||||
self.realm_name = realm_name.upper()
|
self.realm_name = realm_name.upper()
|
||||||
self.serverid = realm_to_serverid(self.realm_name)
|
self.serverid = realm_to_serverid(self.realm_name)
|
||||||
@ -194,6 +194,8 @@ class DsInstance(service.Service):
|
|||||||
self.__add_master_entry_first_master)
|
self.__add_master_entry_first_master)
|
||||||
self.step("initializing group membership",
|
self.step("initializing group membership",
|
||||||
self.init_memberof)
|
self.init_memberof)
|
||||||
|
if hbac_allow:
|
||||||
|
self.step("creating default HBAC rule allow_all", self.add_hbac)
|
||||||
|
|
||||||
self.step("configuring directory to start on boot", self.__enable)
|
self.step("configuring directory to start on boot", self.__enable)
|
||||||
|
|
||||||
@ -411,6 +413,11 @@ class DsInstance(service.Service):
|
|||||||
def __enable_ldapi(self):
|
def __enable_ldapi(self):
|
||||||
self._ldap_mod("ldapi.ldif", self.sub_dict)
|
self._ldap_mod("ldapi.ldif", self.sub_dict)
|
||||||
|
|
||||||
|
def add_hbac(self):
|
||||||
|
self.sub_dict['UUID'] = str(uuid.uuid1())
|
||||||
|
self._ldap_mod("default-hbac.ldif", self.sub_dict)
|
||||||
|
del self.sub_dict['UUID']
|
||||||
|
|
||||||
def change_admin_password(self, password):
|
def change_admin_password(self, password):
|
||||||
logging.debug("Changing admin password")
|
logging.debug("Changing admin password")
|
||||||
dirname = config_dirname(self.serverid)
|
dirname = config_dirname(self.serverid)
|
||||||
|
Loading…
Reference in New Issue
Block a user