freeipa/doc/api/hbac_guide.md
Antonio Torres a2667b249e API doc: add usage guides for groups, HBAC and sudo rules
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-08 14:20:38 -05:00

2.3 KiB

Host-based Access Control (HBAC) Examples

HBAC rules allow to define policies to control how hosts and services are accessed based on the user, user's group or host that is attempting to access.

Creating an HBAC rule

Create a base rule that will handle SSH service access.

api.Command.hbacrule_add("sshd_rule")

Managing members of a HBAC rule

Add user john to the previously created HBAC rule.

api.Command.hbacrule_add_user("sshd_rule", user="john")

Additionally, you can set access based on groups:

api.Command.hbacrule_add_user("sshd_rule", group="developers")

Remove user john from the HBAC rule.

api.Command.hbacrule_remove_user("sshd_rule", user="john")

Managing targets of a HBAC rule

After we have created the rule and set the members, targets must be registered before being added to the rule.

Adding a new HBAC service.

api.Command.hbacsvc_add("chronyd")

Services must be attached to rules. Attach the sshd service to the previously created rule. This service is registered in IPA by default, so there's no need to add it with hbacsvc_add before.

api.Command.hbacrule_add_service("sshd_rule", hbacsvc="sshd")

Hosts can be added as targets as well. Allow the SSH service to be accessed only in the hosts part of the workstations hostgroup.

api.Command.hbacrule_add_host("sshd_rule", hostgroup="workstations")

Testing a HBAC rule

Simulate the use of the rule we previously created, against the host workstation.ipa.test, the service sshd coming from the user john.

api.Command.hbactest(user="john", targethost="workstation.ipa.test", service="sshd", rules="sshd_rule")

Enabling and disabling HBAC rules

Enable a HBAC rule.

api.Command.hbacrule_enable("sshd_rule")

Disable a HBAC rule.

api.Command.hbacrule_disable("sshd_rule")