Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host.
I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation)https://pagure.io/freeipa/issue/7199 and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation)https://bugzilla.redhat.com/show_bug.cgi?id=1492993 which says it is targeted for RHEL 8 !
Is there any way to do this in the meantime ? I can get a list of users, but how do I get to the HBAC rules to filter them ? ______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote:
Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host.
I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation) https://pagure.io/freeipa/issue/7199
and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) https://bugzilla.redhat.com/show_bug.cgi?id=1492993
which says it is targeted for RHEL 8 !
I wouldn't read too much into that, it mostly just says that it has no chance of making it into RHEL 7.
Is there any way to do this in the meantime ?
I can get a list of users, but how do I get to the HBAC rules to filter them ?
There is no way now other than running hbac-test iteratively for all your users and hosts. It'd be quite resource-intensive and I imagine slow depending on the number of hosts and users, something to run over night I imagine.
You might be able to be clever about it depending on your rules if you know, for instance, that a certain set of hosts don't allow ssh access (or is limited to a single group).
rob
Thanks, Rob. I was considering something like that.
I was thinking of each host running thru the users, filtering a bit by groups, for access to that host. This would be, as suggested, run no more than once daily, overnight.
______________________________________________________________________________________________
Daniel E. White daniel.e.white@nasa.govmailto:daniel.e.white@nasa.gov NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road Building 14, Room E175 Greenbelt, MD 20771 Office: (301) 286-6919 Mobile: (240) 513-5290
From: Rob Crittenden rcritten@redhat.com Date: Friday, December 27, 2019 at 21:33 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Daniel White daniel.e.white@nasa.gov Subject: [EXTERNAL] Re: [Freeipa-users] Looking for a way to get a list of users that can log in to a server
White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users wrote: Ideally, a command/script I can run on each host that outputs a list of users that can log in to that host.
I found this: FreeIPA Issue #7199 [RFE] Central report that will show who can access which systems (attestation) https://pagure.io/freeipa/issue/7199 and followed it upstream to this BugZilla Bug 1492993 - [RFE] Central report that will show who can access which systems (attestation) https://bugzilla.redhat.com/show_bug.cgi?id=1492993 which says it is targeted for RHEL 8 !
I wouldn't read too much into that, it mostly just says that it has no chance of making it into RHEL 7.
Is there any way to do this in the meantime ? I can get a list of users, but how do I get to the HBAC rules to filter them ?
There is no way now other than running hbac-test iteratively for all your users and hosts. It'd be quite resource-intensive and I imagine slow depending on the number of hosts and users, something to run over night I imagine.
You might be able to be clever about it depending on your rules if you know, for instance, that a certain set of hosts don't allow ssh access (or is limited to a single group).
rob
freeipa-users@lists.fedorahosted.org