We currently have one HBAC rule that allows all access. To define a set of rules for the set of the dedicated machines, say web servers of DB hosts one has to tern it off and define riles for the machines he is interested in. But he also needs to define the rule for the rest of the machines or at least for IPA server otherwise even admins would be prevented from logging into IPA hosts. To prevent this situation I suggest in addition to existing HBAC rule we should add another default rule that would allow administrator's group access to the IPA replicas. This means that we also need to have a default and automatically populated host group called "IdM Servers" (or like). This host group should be automatically maintained (replicas should be added to it) when they are prepared or installed (TBD when it is better to do it).
The scope of work:
1. Have a default host group for replicas created when the first IPA server is installed
2. Host group is automatically updated when replicas are added. Replica removal might be left to administrator
3. Have a default HBAC rule that would allow Admin user group full access to the host group defined above.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=826748
Moving to backlog.
Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)
to comment on this ticket.