As an IPA user , I want see which HBAC rules allow access to so that I can see why I've been allowed permission to access that service? However the normal output is too long and --nodetail is too short.
--nodetail
If there are many HBAC rules the output is very long, but using the --nodetail option removes all matched rules. Users and admins would like to just see the matched rules that authorise access to the service first, before checking the list of unmatched rules or all rules.
ipa hbactest --host=hostaname --service=sshd --user=username
ipa hbactest --host=hostaname --service=sshd --user=username --nodetail
Output is ether very long, or too brief.
It was expected that --nodetail would include matched HBAC rules, but maybe there should be a --match and --nomatch argument that shows matched and unmatched rules respectively so that the behaviour of --nodetail does not change.
--match
--nomatch
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.6.4-10.el7_6.3.x86_64 ipa-client-4.6.4-10.el7_6.3.x86_64 389-ds-base-1.3.8.4-23.el7_6.x86_64 pki-ca-10.5.9-13.el7_6.noarch krb5-server-1.15.1-37.el7_6.x86_64
N/A
Can you provide more details on what the "goldilocks" output would look like to you? Do you just want the authorizing rule to display?
To expand on that, because you already provided some guidance, do you have any suggestions on how the output should be displayed? Adding options is fine but each one extends the test matrix so we like to limit them.
Metadata Update from @pcech: - Issue tagged with: Falcon
@aethylred please respond to @rcritten request -- we really need more details before considering to fix this issue.
Metadata Update from @abbra: - Issue untagged with: Falcon
Metadata Update from @rcritten: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.