| |
@@ -0,0 +1,88 @@
|
| |
+ Generate an access control report for IPA domains
|
| |
+ =================================================
|
| |
+
|
| |
+ Related ticket(s):
|
| |
+ ------------------
|
| |
+ https://pagure.io/SSSD/sssd/issue/2840
|
| |
+
|
| |
+ Problem statement
|
| |
+ -----------------
|
| |
+ Some environments require, for auditing reasons, to generate an access
|
| |
+ control report on the IPA client itself. While it can be argued that
|
| |
+ generating these reports on the IPA servers instead would provide a nicer
|
| |
+ experience, the audits requirement sometimes need a tool to be run on the
|
| |
+ host.
|
| |
+
|
| |
+ Use cases
|
| |
+ ---------
|
| |
+ As an owner of an IPA client I need to know which users have access to
|
| |
+ this client. I want to run a tool on the host and get a report who can
|
| |
+ access it.
|
| |
+
|
| |
+ The reports must contain information about HBAC rules. In future, SUDO
|
| |
+ rules would be nice to have as well.
|
| |
+
|
| |
+ Overview of the solution
|
| |
+ ------------------------
|
| |
+ A new ``sssctl`` command called ``access-report``. will be added. This
|
| |
+ command will only be implemented for IPA domains for now, other domain
|
| |
+ types will just return an error.
|
| |
+
|
| |
+ In this version, only a human-readable output will be provided.
|
| |
+
|
| |
+ Configuration changes
|
| |
+ ---------------------
|
| |
+ None, only the new tool will be implemented.
|
| |
+
|
| |
+ Implementation details
|
| |
+ ----------------------
|
| |
+ In order to trigger the refresh of rules by ``sssd_be`` process,
|
| |
+ the Data Provider will be enhanced with a new sbus method
|
| |
+ ``org.freedesktop.sssd.DataProvider.AccessControl``.
|
| |
+
|
| |
+ This method will trigger the same async requests that PAM access phase
|
| |
+ normally calls which fetch and save the IPA HBAC rules. This means that
|
| |
+ the same rate-limiting with the ``ipa_hbac_refresh`` applies to this
|
| |
+ request as if it was called via PAM access phase. Additionally, this
|
| |
+ method will be exposed over the public D-Bus InfoPipe responder via a new
|
| |
+ ``RefreshAccessRules`` method. As with all methods, only root can call
|
| |
+ it by default.
|
| |
+
|
| |
+ Finally, this new D-Bus method will be called from the ``sssctl
|
| |
+ access-report`` command when it's ran in order to populate the ldb cache
|
| |
+ with fresh HBAC rules
|
| |
+
|
| |
+ For printing the rules, the tool will simply call ``ldb_search``,
|
| |
+ retrieve all objects of objectclass ``ipaHbacRule`` and then print the RDN
|
| |
+ value of ``memberUser`` (for users and user groups), ``memberService``
|
| |
+ (for services and service groups) and ``category``. By default, groups
|
| |
+ will not be unrolled, because the ``getgrnam`` interface limits the group
|
| |
+ nesting by default, therefore it is better to just print the group name,
|
| |
+ not all the group members.
|
| |
+
|
| |
+ Future enhancements
|
| |
+ -------------------
|
| |
+ In future, the tool should also print the output in both human-readable
|
| |
+ and machine-readable formats. For machine readable output, JSON is the
|
| |
+ best choice, since the KCM responder already depends on ``libjansson.``
|
| |
+ This enhancement is tracked in ticket `#3581 <https://pagure.io/SSSD/sssd/issue/3581>`_.
|
| |
+
|
| |
+ Additionally, for HBAC rules which are linked to a group, it might
|
| |
+ be handy to unroll the group members and print them if the administrator
|
| |
+ wishes. This enhancement is tracked with ticket `#3580 <https://pagure.io/SSSD/sssd/issue/3580>`_
|
| |
+
|
| |
+ How To Test
|
| |
+ -----------
|
| |
+ Run ``sssctl access-report`` on an IPA client with different HBAC rules
|
| |
+ stored in the cache. Make sure all options produce the desired results.
|
| |
+
|
| |
+
|
| |
+ How To Debug
|
| |
+ ------------
|
| |
+ Debug messages will be added to the tool itself. To compare the output
|
| |
+ with the cache contents, the ``ldbsearch`` tool can be used. The ``ipa``
|
| |
+ administration tool can be used to display the server-side HBAC rules.
|
| |
+
|
| |
+ Authors
|
| |
+ -------
|
| |
+ * Jakub Hrozek <jhrozek@redhat.com>
|
| |
Adds a desing page for https://pagure.io/SSSD/sssd/issue/2840