14.3. Defining Host-Based Access Control Rules

Access controls, at a high level, define who has access to what. The who can be either a user or a host (the source host), and the what can be either a host (target host), service, or service group, or a combination of the three.

14.3.1. Setting Host-Based Access Control Rules in the Web UI

Click the Policy tab.
Click the Host-Based Access Control subtab, and then select the HBAC Rules link.
Click the Add link at the top of the list of host-based access control rules.
Enter the name for the rule.
Click the Add and Edit button to go immediately to set the configuration for the rule.
There are a number of configuration areas for the rule. The four basic elements are who the rule applies to, what hosts users can use to access resources (the source), what hosts allow access (the target), and, optionally, what services can be accessed.
In the Who area, select the users or user groups to which the access control rule is applied.
To apply the rule to all IPA users, select the Anyone radio button.
To apply the rule to a specific set of users or user groups:
1. Select the Specified Users and Groups radio button.
2. Click the + Add link at the right of the users list.
3. Click the checkbox by the users to add to the rule, and click the right arrows button, >>, to move the users to the selection box.
4. Click Add.
In the Accessing area, select the target hosts which can be accessed through this access control rule.
To apply the rule to all IPA hosts, select the Any Host radio button.
To apply the rule to a specific set of hosts or host groups:
1. Select the Specified Hosts and Groups radio button.
2. Click the + Add link at the right of the hosts list.
3. Click the checkbox by the hosts to include with the rule, and click the right arrows button, >>, to move the hosts to the selection box.
4. Click Add.
In the Via Service area, select specific services on the target hosts which the users are allowed to use to access target machines.
To apply the rule to all IPA hosts, select the Any Service radio button.
To apply the rule to a specific set of hosts or host groups:
1. Select the Specified Services and Groups radio button.
2. Click the + Add link at the right of the commands list.
3. Click the checkbox by the services or groups to include with the rule, and click the right arrows button, >>, to move the services to the selection box.
4. Click Add.
In the From area, select the source hosts, from which users can access the target hosts.
To apply the rule to all IPA hosts, select the Any Host radio button.
To apply the rule to a specific set of hosts or host groups:
1. Select the Specified Hosts and Groups radio button.
2. Click the + Add link at the right of the hosts list.
3. Click the checkbox by the hosts to include with the rule, and click the right arrows button, >>, to move the hosts to the selection box.
4. Click Add.

14.3.2. Setting Host-Based Access Control Rules in the Command Line

Access control rules are created using the hbacrule-* commands (listed in Table 14.1, “Host-Based Access Control Command and Options”). The first step is to create a container entry; from there, users, hosts, and services can be added to the access control entry.

The basic outline of all the access control commands is:

$ ipa hbacrule-add* options ruleName

TIP

To set every user, every host as a source host, or every host as a target, use the category options, such as --usercat=all.

Example 14.1. Granting All Access to One Host

One simple rule is to grant every user and every source host access to a single server. The first command creates the entry and uses the category options to apply every user and every host as a source host.

$ ipa hbacrule-add --usercat=all --srchostcat=all allGroup
--------------------------
Added HBAC rule "allGroup"
--------------------------
  Rule name: allGroup
  User category: all
  Source host category: all
  Enabled: TRUE

The second rule adds the target host, using the hbacrule-add-host command:

$ ipa hbacrule-add-host --hosts=server.example.com allGroup
  Rule name: allGroup
  User category: all
  Source host category: all
  Enabled: TRUE
  Successful hosts/hostgroups:
    member host: server.example.com
-------------------------
Number of members added 1
-------------------------

Example 14.2. Adding Control for a Single User to a Service

Another access control method is to specify which services users are allowed to use to access the target hosts.

First, for the user to have access to every machine, every host must be added as both a host and target. This can be done using the category options:

$ ipa hbacrule-add --hostcat=all --srchostcat=all sshd-jsmith

Since the access control rule applies to a specific user, the user is added to the rule using the hbacrule-add-user command:

$ ipa hbacrule-add-user --users=jsmith sshd-jsmith

Then, the service is added to the access control rule. (The service should have already been added to the access control system using the hbacsvc-add command.) This is the service that the user can use to connect to the machine.

$ ipa hbacrule-add-service --hbacsvcs=sshd sshd-jsmith

Example 14.3. Adding a Service Group to the Rule

While a single service can be added to a rule, it is also possible to add an entire service group. Like a single service, this uses the hbacrule-add-service command, only with the --hbacsvcgroups option that specifies the group name.

$ ipa hbacrule-add-service --hbacsvcgroups=login loginRule

Table 14.1. Host-Based Access Control Command and Options

Command	Description	Arguments	Source or Target Entry
hbacrule-add	Adds a new host-based access control rule.	--usercat=all, which applies the rule to every user --hostcat=all, which sets every host as an allowed target server --srchostcat=all, which sets every host as an allowed source server --servicecat=all, which sets every configured service as an allowed target service ruleName, which is the required unique identifier for the new rule
hbacrule-add-host	Adds a target host to the access control rule. A target host can be accessed by other servers and users in the domain.	--hosts, which adds an individual server or command-separated list of servers as an allowed target server --hostgroups, which adds a host group to the rule and every host within the host group is an allowed target server ruleName, which is the rule to which to add the target server	Target
hbacrule-add-service	Adds a service type to the rule.	--hbacsvcs, which adds an individual service type or a comma-separated list of service type as an allowed target service --hbacsvcgroups, which adds a service group to the rule and every service within the service group is an allowed target service ruleName, which is the rule to which to add the target service	Target
hbacrule-add-sourcehost	Adds a server to the list of servers that can be used to access domain services and target servers.	--hosts, which adds an individual server or command-separated list of servers as an allowed source server --hostgroups, which adds a host group to the rule and every host within the host group is an allowed source server ruleName, which is the rule to which to add the source server	Source
hbacrule-add-user	Adds a user to the access control rule. The user is then able to access any allowed target host or service within the domain, from any configured source host.	--users, which adds an individual user or command-separated list of users to the rule --groups, which adds a user group to the rule and, thus, every user within the group ruleName, which is the rule to which to add the user	Source
hbacrule-disable \| hbacrule-enable	Disables or enables a host-based access control rule. Rules can be disabled if their behavior needs to be evaluated (for troubleshooting or to test a new rule).	ruleName, which is the rule to disable or enable