HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
Implements a new option to filter out reverse zones.
This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.
https://fedorahosted.org/freeipa/ticket/1471
The DNS record plugin does not support modification of a record. One
can only add A type addresses to a DNS record or remove the current
ones. To actually change a DNS record value it has to be removed and
then added with a desired value.
This patch adds a new DNS plugin command "dnsrecord-mod" which enables
user to:
- modify a DNS record value (note than DNS record can hold multiple values
and those will be overwritten)
- remove a DNS record when an empty value is passed
New tests for this new command have been added to the CLI test suite.
https://fedorahosted.org/freeipa/ticket/1137
When user migrates users/groups from an old DS instance, the
migration may fail on unsupported object classes and/or
relevant LDAP object attributes.
This patch implements a support for object class and attribute
ignore lists that can be used to suppress these migration issues.
Additionally, a redundant "dev/null" file is removed from git repo
(originally added in 26b0e8fc98).
https://fedorahosted.org/freeipa/ticket/1266
To support multiple direct maps we added description to the DN of
automount key entries. The downside of this is that to display a key
you had to know the information as well, which was rather pointless if
that is what you were trying to get.
So now both modes are supported. It will first look for just a key
in the description and fall back to including automountinformation
if it needs to.
Multiple direct maps are still supported and for those the info is
always required.
ticket 1229
Automatic creation may of User Private Groups (UPG) may not be
wanted at all times. This patch adds a new flag --noprivate to
ipa user-add command to disable it.
https://fedorahosted.org/freeipa/ticket/1131
postalCode is defined as an Int. This means you can't define one that has
a leading zero nor can you have dashes, letters, etc.
This changes the data type on the server. It will still accept an int
value if provided and convert it into a string.
Bump the API version to 2.1.
ticket 1150
This patch contains 2 parts.
The first part is a small utility to create and validate the current
API. To do this it needs to load ipalib which on a fresh system
introduces a few problems, namely that it relies on a python plugin
to set the default encoding to utf8. For our purposes we can skip that.
It is also important that any optional plugins be loadable so the
API can be examined.
The second part is a version exchange between the client and server.
The version has a major and a minor version. The major verion is
updated whenever existing API changes. The minor version is updated when
new API is added. A request will be rejected if either the major versions
don't match or if the client major version is higher than then server
major version (though by implication new API would return a command not
found if allowed to proceed).
To determine the API version of the server from a client use the ping
command.
ticket 584
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
There was much back and forth and gnashing of teeth about what the
version should actually be in these pre-releases. We decided it isn't
2.0-ish enough so went with 1.9.0, 1.9.1, etc until we're ready to
declare 2.0.0.
Fix make maintainer-clean
Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)
Version 1.1.0 was released some times ago, bump up to 1.1.1
The file VERSION is now the sole-source of versioning.
The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.
By default a GIT build is done. To do a non-GIT build do:
$ make TARGET IPA_VERSION_IS_GIT_SNAPSHOT=no
When updating the version you can run this to regenerate the version:
$ make version-update
The version can be determined in Python by using ipaserver.version.VERSION