Hey folks,
We are running a lot of server, we nearly exhausted and allocated our /29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever changing group of "the rest". As I have not yet found a "negate" option what is the smartest way to allow a fixed group to a fixed set of servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks! -Chris.
* Alternate facts disclaimer: The given number has been optimized to impress, bedazzle and to intimidate. The real number of host might be substantially smaller.
Hey,
I take it this is not possible an no one does this?
-Chris.
On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our /29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever changing group of "the rest". As I have not yet found a "negate" option what is the smartest way to allow a fixed group to a fixed set of servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks! -Chris.
- Alternate facts disclaimer: The given number has been optimized to
impress, bedazzle and to intimidate. The real number of host might be substantially smaller.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Christian Reiss via FreeIPA-users wrote:
Hey,
I take it this is not possible an no one does this?
It is not possible. HBAC only provides allow rules.
rob
-Chris.
On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our /29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever changing group of "the rest". As I have not yet found a "negate" option what is the smartest way to allow a fixed group to a fixed set of servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks! -Chris.
- Alternate facts disclaimer: The given number has been optimized to
impress, bedazzle and to intimidate. The real number of host might be substantially smaller.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Christina, the easiest way to handle your situation is to create a new group for allowed hosts, add all current hosts then remove the 10 you care about. Finally set up an auto-membership rule so all new hosts are automatically added to that group.
You will have to monitor/remove any new "special" server you may add, but this will work to obtain your "negate" rule in an easily maintainable way.
HTH, Simo.
On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users wrote:
Christian Reiss via FreeIPA-users wrote:
Hey,
I take it this is not possible an no one does this?
It is not possible. HBAC only provides allow rules.
rob
-Chris.
On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our /29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever changing group of "the rest". As I have not yet found a "negate" option what is the smartest way to allow a fixed group to a fixed set of servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks! -Chris.
- Alternate facts disclaimer: The given number has been optimized to
impress, bedazzle and to intimidate. The real number of host might be substantially smaller.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Mon, 2019-07-29 at 11:47 -0400, Simo Sorce via FreeIPA-users wrote:
Christina,
apologies for the typo, I meant "Christian" of course.
the easiest way to handle your situation is to create a new group for allowed hosts, add all current hosts then remove the 10 you care about. Finally set up an auto-membership rule so all new hosts are automatically added to that group.
You will have to monitor/remove any new "special" server you may add, but this will work to obtain your "negate" rule in an easily maintainable way.
HTH, Simo.
On Mon, 2019-07-29 at 11:31 -0400, Rob Crittenden via FreeIPA-users wrote:
Christian Reiss via FreeIPA-users wrote:
Hey,
I take it this is not possible an no one does this?
It is not possible. HBAC only provides allow rules.
rob
-Chris.
On 26/07/2019 17:00, Christian Reiss via FreeIPA-users wrote:
Hey folks,
We are running a lot of server, we nearly exhausted and allocated our /29 ipv6 allocation*.
Let's say we have 10 really, really important servers that only a handful of people should be able to access. Everyone else not.
So I have a fixed group of known "critical servers" and a dynamic, ever changing group of "the rest". As I have not yet found a "negate" option what is the smartest way to allow a fixed group to a fixed set of servers, while everyone else has access to everything else but this?
Thanks and have a great weekend folks! -Chris.
- Alternate facts disclaimer: The given number has been optimized to
impress, bedazzle and to intimidate. The real number of host might be substantially smaller.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
-- Simo Sorce RHEL Crypto Team Red Hat, Inc
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hey,
auto membership. Perfect. Yes that was what I was looking for. The fixed group does not change, and with that I can do precisely that.
Thanks! -Christina ;)
On 29/07/2019 17:47, Simo Sorce wrote:
Christina, the easiest way to handle your situation is to create a new group for allowed hosts, add all current hosts then remove the 10 you care about. Finally set up an auto-membership rule so all new hosts are automatically added to that group.
You will have to monitor/remove any new "special" server you may add, but this will work to obtain your "negate" rule in an easily maintainable way.
HTH, Simo.
freeipa-users@lists.fedorahosted.org