wiki v1

User Tools

Site Tools

Trace: pdo_mysql_st kubernetes_install_debian_v2 usuarios ingress_nginx install_kvm_centos7 kube_install_debian11_dual-stack install_ansible ansible_server_config kube_install_debian11 ipa_hbac
wikiv3:ipa_hbac

Regras HBAC

Regra que dá acesso a todos hosts e serviços ao grupo linuxadm. 

[root@sp-spo-ipa:~]# ipa hbacrule-add --hostcat=all --servicecat=all --desc='linux admins all access' linuxadm_hbac
-------------------------------
Added HBAC rule "linuxadm_hbac"
-------------------------------
  Rule name: linuxadm_hbac
  Host category: all
  Service category: all
  Description: linux admins all access
  Enabled: TRUE
[root@sp-spo-ipa:~]# ipa hbacrule-add-user --groups=linuxadm linuxadm_hbac
  Rule name: linuxadm_hbac
  Host category: all
  Service category: all
  Description: linux admins all access
  Enabled: TRUE
  User Groups: linuxadm
-------------------------
Number of members added 1
-------------------------

Desabilitando a regra geral que dá acesso a todos os usuários. 

[root@sp-spo-ipa:~]# ipa hbacrule-disable allow_all
------------------------------
Disabled HBAC rule "allow_all"
------------------------------
[root@sp-spo-ipa:~]# ipa hbactest --user=gean.martins --host=sp-spo-ipa.juntotelecom.com.br --service=ssh
--------------------
Access granted: True
--------------------
  Matched rules: linuxadm_hbac
  Not matched rules: allow_systemd-user
[root@sp-spo-ipa:~]# ipa hbactest --user=gean.martins --host=sp-spo-ipa.juntotelecom.com.br --service=ssh --rules=linuxadm_hbac
--------------------
Access granted: True
--------------------
  Matched rules: linuxadm_hbac
[root@sp-spo-ipa:~]# ipa hbacrule-show linuxadm_hbac
  Rule name: linuxadm_hbac
  Host category: all
  Service category: all
  Description: linux admins all access
  Enabled: TRUE
  User Groups: linuxadm
[root@sp-spo-ipa:~]# ipa hbacrule-show linuxadm_hbac --all --raw
  dn: ipaUniqueID=f7f2ba90-9525-11ea-b53c-000c29ad9330,cn=hbac,dc=juntotelecom,dc=com,dc=br
  cn: linuxadm_hbac
  hostcategory: all
  servicecategory: all
  description: linux admins all access
  ipaenabledflag: TRUE
  memberuser: cn=linuxadm,cn=groups,cn=accounts,dc=juntotelecom,dc=com,dc=br
  accessRuleType: allow
  ipaUniqueID: f7f2ba90-9525-11ea-b53c-000c29ad9330
  objectClass: ipaassociation
  objectClass: ipahbacrule
wikiv3/ipa_hbac.txt · Last modified: by 127.0.0.1