#8047 Response from hbactest either too long or too short on IPA directories with many HBAC rules.
Opened 3 months ago by aethylred. Modified a month ago

Request for enhancement

As an IPA user , I want see which HBAC rules allow access to so that I can see why I've been allowed permission to access that service? However the normal output is too long and --nodetail is too short.

Issue

If there are many HBAC rules the output is very long, but using the --nodetail option removes all matched rules. Users and admins would like to just see the matched rules that authorise access to the service first, before checking the list of unmatched rules or all rules.

Steps to Reproduce

  1. Have an IPA directory with a hundred HBAC rules or more
  2. Execute ipa hbactest --host=hostaname --service=sshd --user=username
  3. Scroll back very long output to see which rules matched and if user is authorised
  4. Executeipa hbactest --host=hostaname --service=sshd --user=username --nodetail
  5. See very short output showing user is authorised, but not which rules authorised the user

Actual behavior

Output is ether very long, or too brief.

Expected behavior

It was expected that --nodetail would include matched HBAC rules, but maybe there should be a --match and --nomatch argument that shows matched and unmatched rules respectively so that the behaviour of --nodetail does not change.

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.4-10.el7_6.3.x86_64
ipa-client-4.6.4-10.el7_6.3.x86_64
389-ds-base-1.3.8.4-23.el7_6.x86_64
pki-ca-10.5.9-13.el7_6.noarch
krb5-server-1.15.1-37.el7_6.x86_64

Additional info:

N/A


Can you provide more details on what the "goldilocks" output would look like to you? Do you just want the authorizing rule to display?

To expand on that, because you already provided some guidance, do you have any suggestions on how the output should be displayed? Adding options is fine but each one extends the test matrix so we like to limit them.

Metadata Update from @pcech:
- Issue tagged with: Falcon

a month ago

@aethylred please respond to @rcritten request -- we really need more details before considering to fix this issue.

Metadata Update from @abbra:
- Issue untagged with: Falcon

a month ago

Login to comment on this ticket.

Metadata