Warning
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.
Generate an access control report for IPA domains
Related ticket(s):
Problem statement
Some environments require, for auditing reasons, to generate an access control report on the IPA client itself. While it can be argued that generating these reports on the IPA servers instead would provide a nicer experience, the audits requirement sometimes need a tool to be run on the host.
Use cases
As an owner of an IPA client I need to know which users have access to this client. I want to run a tool on the host and get a report who can access it.
The reports must contain information about HBAC rules. In future, SUDO rules would be nice to have as well.
Overview of the solution
A new sssctl command called access-report. will be added. This
command will only be implemented for IPA domains for now, other domain
types will just return an error.
In this version, only a human-readable output will be provided.
Configuration changes
None, only the new tool will be implemented.
Implementation details
In order to trigger the refresh of rules by sssd_be process,
the Data Provider will be enhanced with a new sbus method
org.freedesktop.sssd.DataProvider.AccessControl.
This method will trigger the same async requests that PAM access phase
normally calls which fetch and save the IPA HBAC rules. This means that
the same rate-limiting with the ipa_hbac_refresh applies to this
request as if it was called via PAM access phase. Additionally, this
method will be exposed over the public D-Bus InfoPipe responder via a new
RefreshAccessRules method. As with all methods, only root can call
it by default.
Finally, this new D-Bus method will be called from the sssctl
access-report command when it’s ran in order to populate the ldb cache
with fresh HBAC rules
For printing the rules, the tool will simply call ldb_search,
retrieve all objects of objectclass ipaHbacRule and then print the RDN
value of memberUser (for users and user groups), memberService
(for services and service groups) and category. By default, groups
will not be unrolled, because the getgrnam interface limits the group
nesting by default, therefore it is better to just print the group name,
not all the group members.
Future enhancements
In future, the tool should also print the output in both human-readable
and machine-readable formats. For machine readable output, JSON is the
best choice, since the KCM responder already depends on libjansson.
This enhancement is tracked in ticket #3581.
Additionally, for HBAC rules which are linked to a group, it might be handy to unroll the group members and print them if the administrator wishes. This enhancement is tracked with ticket #3580
How To Test
Run sssctl access-report on an IPA client with different HBAC rules
stored in the cache. Make sure all options produce the desired results.
How To Debug
Debug messages will be added to the tool itself. To compare the output
with the cache contents, the ldbsearch tool can be used. The ipa
administration tool can be used to display the server-side HBAC rules.
Authors
Jakub Hrozek <jhrozek@redhat.com>