Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
Thanks.
Regards,
Siggi
Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
You may be able to do it using automember hostgroups: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If some regular expression is matched when a host is added it can be added automatically to a hostgroup. You can then define HBAC and SUDO rules to grant access via that hostgroup.
fqdn was the original idea for the matching rule. The user who contributed the feature used a specific naming pattern for his hosts (webserver-1234, mailserver-98aa, etc). So it was straightforward.
rob
Hi Rob,
Thank you for your reply.
Yes I am aware of the automember functionality. I’ve configured several automember rules matching the objectclass, which is populated by Satellite with the Satellite hostgroup, and some automember rules matching the fqdn. Automember is an awesome functionality! However automember does not cover all use cases unfortunately.
If I am to understand the response correct, there are currently no publicly known automate code for ManageIQ/Cloudforms for IPA?
Regards, Siggi
On 14 Jan 2019, at 20:35, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
You may be able to do it using automember hostgroups: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If some regular expression is matched when a host is added it can be added automatically to a hostgroup. You can then define HBAC and SUDO rules to grant access via that hostgroup.
fqdn was the original idea for the matching rule. The user who contributed the feature used a specific naming pattern for his hosts (webserver-1234, mailserver-98aa, etc). So it was straightforward.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Sigbjorn Lie-Soland wrote:
Hi Rob,
Thank you for your reply.
Yes I am aware of the automember functionality. I’ve configured several automember rules matching the objectclass, which is populated by Satellite with the Satellite hostgroup, and some automember rules matching the fqdn. Automember is an awesome functionality! However automember does not cover all use cases unfortunately.
If I am to understand the response correct, there are currently no publicly known automate code for ManageIQ/Cloudforms for IPA?
There could be, I don't know everything :-) It is possible they have some integration they haven't told us about, or it is usable via The Foreman or something.
rob
Regards, Siggi
On 14 Jan 2019, at 20:35, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
You may be able to do it using automember hostgroups: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If some regular expression is matched when a host is added it can be added automatically to a hostgroup. You can then define HBAC and SUDO rules to grant access via that hostgroup.
fqdn was the original idea for the matching rule. The user who contributed the feature used a specific naming pattern for his hosts (webserver-1234, mailserver-98aa, etc). So it was straightforward.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
You don’t know everything there is to know about IPA? I’m sure that’s not true….hehe ;)
We do have IPA integrated with Satellite 6. However the integration capabilities of Satellite 6/The Foreman is limited to creating/removing IPA host records, and creating/removing DNS forward/reverse records.
I see Ansible modules is available for managing hbacrules and sudorules. I suppose this may be a possible point of integration for Cloudforms I could investigate.
Thanks.
Regards, Siggi
On 22 Jan 2019, at 13:15, Rob Crittenden rcritten@redhat.com wrote:
Sigbjorn Lie-Soland wrote:
Hi Rob, Thank you for your reply. Yes I am aware of the automember functionality. I’ve configured several automember rules matching the objectclass, which is populated by Satellite with the Satellite hostgroup, and some automember rules matching the fqdn. Automember is an awesome functionality! However automember does not cover all use cases unfortunately. If I am to understand the response correct, there are currently no publicly known automate code for ManageIQ/Cloudforms for IPA?
There could be, I don't know everything :-) It is possible they have some integration they haven't told us about, or it is usable via The Foreman or something.
rob
Regards, Siggi
On 14 Jan 2019, at 20:35, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
You may be able to do it using automember hostgroups: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If some regular expression is matched when a host is added it can be added automatically to a hostgroup. You can then define HBAC and SUDO rules to grant access via that hostgroup.
fqdn was the original idea for the matching rule. The user who contributed the feature used a specific naming pattern for his hosts (webserver-1234, mailserver-98aa, etc). So it was straightforward.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ti, 22 tammi 2019, Sigbjorn Lie-Soland via FreeIPA-users wrote:
You don’t know everything there is to know about IPA? I’m sure that’s not true….hehe ;)
We do have IPA integrated with Satellite 6. However the integration capabilities of Satellite 6/The Foreman is limited to creating/removing IPA host records, and creating/removing DNS forward/reverse records.
I see Ansible modules is available for managing hbacrules and sudorules. I suppose this may be a possible point of integration for Cloudforms I could investigate.
Whoever created those Ansible modules and contributed them, certainly never consulted about that with FreeIPA upstream. So we don't really have any comments on whether those are usable or useful in all cases.
Thanks.
Regards, Siggi
On 22 Jan 2019, at 13:15, Rob Crittenden rcritten@redhat.com wrote:
Sigbjorn Lie-Soland wrote:
Hi Rob, Thank you for your reply. Yes I am aware of the automember functionality. I’ve configured several automember rules matching the objectclass, which is populated by Satellite with the Satellite hostgroup, and some automember rules matching the fqdn. Automember is an awesome functionality! However automember does not cover all use cases unfortunately. If I am to understand the response correct, there are currently no publicly known automate code for ManageIQ/Cloudforms for IPA?
There could be, I don't know everything :-) It is possible they have some integration they haven't told us about, or it is usable via The Foreman or something.
rob
Regards, Siggi
On 14 Jan 2019, at 20:35, Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Sigbjorn Lie-Soland via FreeIPA-users wrote:
Hi list,
Is there a known repository with an existing ManageIQ/Cloudforms Automate framework for FreeIPA?
I am primarily looking for the ability to create HBAC and SUDO rules as part of the provisioning process.
You may be able to do it using automember hostgroups: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
If some regular expression is matched when a host is added it can be added automatically to a hostgroup. You can then define HBAC and SUDO rules to grant access via that hostgroup.
fqdn was the original idea for the matching rule. The user who contributed the feature used a specific naming pattern for his hosts (webserver-1234, mailserver-98aa, etc). So it was straightforward.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Are there any plans to see modules created and maintained by FreeIPA developers, then ? It would be great :)
On ti, 22 tammi 2019, Fabien Dupont via FreeIPA-users wrote:
Are there any plans to see modules created and maintained by FreeIPA developers, then ? It would be great :)
At this point we concentrate on making https://github.com/freeipa/ansible-freeipa a production quality.
These roles are more important at the moment.
For generic management operations, I'm not sure Ansible approach with manually coded 'modules' of IPA framework-provided commands makes sense at all. There need to be more work done on making various authentication methods working (including GSSAPI) first, then ideally there should be a re-use of IPA framework dynamic metadata discovery and argument checking to avoid hardcoding various conditions and requirements.
At that point using Python API provided by IPA already is worth more than an effort to duplicate it without IPA itself.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Fabien Dupont -
Rob Crittenden -
Sigbjorn Lie-Soland