Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 44. Configuring host-based access control rules
Use host-based access control (HBAC) rules to manage which users or user groups can access specified hosts or host groups in your Identity Management (IdM) domain. HBAC rules help you enforce granular access policies by restricting access based on users, hosts, and services.
You can use HBAC rules to achieve the following goals:
- Limit access to a specified system in your domain to members of a specific user group.
- Allow only a specific service to be used to access the systems in your domain.
By default, IdM is configured with a default HBAC rule named allow_all, which allows universal access to every host for every user via every relevant service in the entire IdM domain.
You can fine-tune access to different hosts by replacing the default allow_all rule with your own set of HBAC rules. For centralized and simplified access control management, you can apply HBAC rules to user groups, host groups, or service groups instead of individual users, hosts, or services.
44.1. Configuring HBAC rules in an IdM domain using the WebUI
Configure host-based access control (HBAC) rules in your Identity Management (IdM) domain using the WebUI to control which users can access specific hosts and services. Replace the default allow_all rule with custom HBAC rules to enforce granular access policies.
To configure your domain for host-based access control, complete the following steps:
- Create HBAC rules in the IdM WebUI.
- Test the new HBAC rules.
-
Disable the default
allow_allHBAC rule].
Do not disable the allow_all rule before creating your custom HBAC rules as if you do so, no users will be able to access any hosts.
44.1.1. Creating HBAC rules in the IdM WebUI
Create host-based access control (HBAC) rules using the Identity Management (IdM) WebUI to define which users can access specific hosts and services. HBAC rules enforce granular access policies and strengthen your security posture.
For example, this procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.
IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.
Prerequisites
- User sysadmin exists in IdM.
Procedure
- Select Policy>Host-Based Access Control>HBAC Rules.
- Click to start adding a new rule.
- Enter a name for the rule, and click to open the HBAC rule configuration page.
- In the Who area, select Specified Users and Groups. Then click to add the users or groups.
- Select the sysadmin user from the list of the Available users and click to move to the list of Prospective users and click .
- In the Accessing area, select Any Host to apply the HBAC rule to all hosts.
In the Via Service area, select Any Service to apply the HBAC rule to all services.
NoteOnly the most common services and service groups are configured for HBAC rules by default.
- To display the list of services that are currently available, select Policy>Host-Based Access Control>HBAC Services.
- To display the list of service groups that are currently available, select Policy>Host-Based Access Control>HBAC Service Groups.
To add more services and service groups, see Adding HBAC Service Entries for Custom HBAC Services and Adding HBAC Service Groups.
- To save any changes you make on the HBAC rule configuration page, click at the top of the page.
44.1.2. Testing HBAC rules in the IdM WebUI
Test your Identity Management (IdM) HBAC rule configuration in the IdM WebUI using simulated scenarios to discover misconfigurations and security risks before deploying rules in production.
Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
Procedure
- Select Policy>Host-Based Access Control>HBAC Test.
- On the Who window, specify the user under whose identity you want to perform the test, and click .
- On the Accessing window, specify the host that the user will attempt to access, and click .
- On the Via Service window, specify the service that the user will attempt to use, and click .
On the Rules window, select the HBAC rules you want to test, and click . If you do not select any rule, all rules are tested.
Select Include Enabled to run the test on all rules whose status is Enabled. Select Include Disabled to run the test on all rules whose status is Disabled. To view and change the status of HBAC rules, select Policy>Host-Based Access Control>HBAC Rules.
ImportantIf the test runs on multiple rules, it passes successfully if at least one of the selected rules allows access.
- On the Run Test window, click .
Review the test results:
- If you see ACCESS DENIED, the user is not granted access in the test.
- If you see ACCESS GRANTED, the user is able to access the host successfully.
By default, IdM lists all the tested HBAC rules when displaying the test results.
- Select Matched to display the rules that allowed successful access.
- Select Unmatched to display the rules that prevented access.
44.1.3. Disabling HBAC rules in the IdM WebUI
Disable HBAC rules using the Identity Management (IdM) WebUI to temporarily deactivate access policies without permanent deletion. Disabling rules enables testing and troubleshooting while preserving rule configurations.
Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.
Procedure
- Select Policy>Host-Based Access Control>HBAC Rules.
- Select the HBAC rule you want to disable.
- Click .
- Click to confirm you want to disable the selected HBAC rule.
44.2. Configuring HBAC rules in an IdM domain using the CLI
Configure host-based access control (HBAC) rules in your Identity Management (IdM) domain using the CLI to control which users can access specific hosts and services. Replace the default allow_all rule with custom HBAC rules to enforce granular access policies.
To configure your domain for host-based access control, complete the following steps:
- Create HBAC rules in the IdM CLI.
- Test the new HBAC rules.
-
Disable the default
allow_allHBAC rule.
Do not disable the allow_all rule before creating your custom HBAC rules. If you disable it before creating your custom rules, access to all hosts for all users will be denied.
44.2.1. Creating HBAC rules in the IdM CLI
Create host-based access control (HBAC) rules using the Identity Management (IdM) CLI to define which users can access specific hosts and services. HBAC rules enforce granular access policies and strengthen your security posture.
For example, this procedure shows you how to grant a single user, sysadmin, access to all systems in the domain using any service.
IdM stores the primary group of a user as a numerical value of the gidNumber attribute instead of a link to an IdM group object. For this reason, an HBAC rule can only reference a user’s supplementary groups and not its primary group.
Prerequisites
- User sysadmin exists in IdM.
Procedure
Use the
ipa hbacrule-addcommand to add the rule.$ ipa hbacrule-add Rule name: rule_name --------------------------- Added HBAC rule "rule_name" --------------------------- Rule name: rule_name Enabled: TRUETo apply the HBAC rule to the sysadmin user only, use the
ipa hbacrule-add-usercommand.$ ipa hbacrule-add-user --users=sysadmin Rule name: rule_name Rule name: rule_name Enabled: True Users: sysadmin ------------------------- Number of members added 1 -------------------------NoteTo apply a HBAC rule to all users, use the
ipa hbacrule-modcommand and specify the all user category--usercat=all. Note that if the HBAC rule is associated with individual users or groups,ipa hbacrule-mod --usercat=allfails. In this situation, remove the users and groups using theipa hbacrule-remove-usercommand.Specify the target hosts. To apply the HBAC rule to all hosts, use the
ipa hbacrule-modcommand and specify the all host category:$ ipa hbacrule-mod rule_name --hostcat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Enabled: TRUE Users: sysadminNoteIf the HBAC rule is associated with individual hosts or groups,
ipa hbacrule-mod --hostcat=allfails. In this situation, remove the hosts and groups using theipa hbacrule-remove-hostcommand.Specify the target HBAC services. To apply the HBAC rule to all services, use the
ipa hbacrule-modcommand and specify the all service category:$ ipa hbacrule-mod rule_name --servicecat=all ------------------------------ Modified HBAC rule "rule_name" ------------------------------ Rule name: rule_name Host category: all Service category: all Enabled: True Users: sysadminNoteIf the HBAC rule is associated with individual services or groups,
ipa hbacrule-mod --servicecat=allfails. In this situation, remove the services and groups using theipa hbacrule-remove-servicecommand.
Verification
Verify that the HBAC rule has been added correctly.
-
Use the
ipa hbacrule-findcommand to verify that the HBAC rule exists in IdM. -
Use the
ipa hbacrule-showcommand to verify the properties of the HBAC rule.
-
Use the
44.2.2. Testing HBAC rules in the IdM CLI
Test your Identity Management (IdM) HBAC rule configuration in the CLI by using simulated scenarios to discover misconfigurations and security risks before deploying rules in production.
Always test custom HBAC rules before you start using them in production.
Note that IdM does not test the effect of HBAC rules on trusted Active Directory (AD) users. Because the IdM LDAP directory does not store the AD data, IdM cannot resolve group membership of AD users when simulating HBAC scenarios.
Procedure
Use the
ipa hbactestcommand to test your HBAC rule. You have the option to test a single HBAC rule or multiple HBAC rules.To test a single HBAC rule:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --------------------- Access granted: True --------------------- Matched rules: rule_nameTo test multiple HBAC rules:
Add a second rule only allowing the sysadmin to use
sshon all hosts:$ ipa hbacrule-add --hostcat=all rule2_name $ ipa hbacrule-add-user --users sysadmin rule2_name $ ipa hbacrule-add-service --hbacsvcs=sshd rule2_name Rule name: rule2_name Host category: all Enabled: True Users: admin HBAC Services: sshd ------------------------- Number of members added 1 -------------------------Test multiple HBAC rules by running the following command:
$ ipa hbactest --user=sysadmin --host=server.idm.example.com --service=sudo --rules=rule_name --rules=rule2_name -------------------- Access granted: True -------------------- Matched rules: rule_name Not matched rules: rule2_nameIn the output, Matched rules list the rules that allowed successful access while Not matched rules list the rules that prevented access. Note that if you do not specify the
--rulesoption, all rules are applied. Using--rulesis useful to independently test each rule.
44.2.3. Disabling HBAC rules in the IdM CLI
Disable HBAC rules using the Identity Management (IdM) CLI to temporarily deactivate access policies without permanent deletion. Disabling rules enables testing and troubleshooting while preserving rule configurations.
Disabling HBAC rules is useful when you are configuring custom HBAC rules for the first time. To ensure that your new configuration is not overridden by the default allow_all HBAC rule, you must disable allow_all.
Procedure
Use the
ipa hbacrule-disablecommand. For example, to disable theallow_allrule:$ ipa hbacrule-disable allow_all ------------------------------ Disabled HBAC rule "allow_all" ------------------------------
44.3. Adding HBAC service entries for custom HBAC services
You can configure any pluggable authentication module (PAM) service as a host-based access control (HBAC) service to define custom services in HBAC rules beyond the default services and service groups.
The PAM service files are located in the /etc/pam.d/ directory.
Adding a service as an HBAC service is not the same as adding a service to the domain. Adding a service to the domain makes it available to other resources in the domain, but it does not allow you to use the service in HBAC rules.
44.3.1. Adding HBAC service entries for custom HBAC services in the IdM WebUI
Create custom HBAC service entries in the Identity Management (IdM) Web UI to control access to applications and services not included in the default service list. This enables granular host-based access control for your custom services.
Procedure
- Select Policy>Host-Based Access Control>HBAC Services.
- Click to add an HBAC service entry.
- Enter a name for the service, and click .
44.3.2. Adding HBAC service entries for custom HBAC services in the IdM CLI
Create custom HBAC service entries in the Identity Management (IdM) CLI to control access to applications and services not included in the default service list. This enables granular host-based access control for your custom services.
Procedure
Use the
ipa hbacsvc-addcommand. For example, to add an entry for thetftpservice:$ ipa hbacsvc-add tftp ------------------------- Added HBAC service "tftp" ------------------------- Service name: tftp
44.4. Adding HBAC service groups
HBAC service groups can simplify HBAC rules management. For example, instead of adding individual services to an HBAC rule, you can add a whole service group.
44.4.1. Adding HBAC service groups in the IdM WebUI
Create HBAC service groups in the Identity Management (IdM) Web UI to manage multiple related services collectively in access control policies. Service groups simplify HBAC rule management by helping you to apply policies to multiple services at once.
Procedure
- Select Policy>Host-Based Access Control>HBAC Service Groups.
- Click to add an HBAC service group.
- Enter a name for the service group, and click .
- On the service group configuration page, click to add an HBAC service as a member of the group.
44.4.2. Adding HBAC service groups in the IdM CLI
Create HBAC service groups in the Identity Management (IdM) CLI to manage multiple related services collectively in access control policies. Service groups simplify HBAC rule management by helping you to apply policies to multiple services at once.
Procedure
Use the
ipa hbacsvcgroup-addcommand in your terminal to add an HBAC service group. For example, to add a group named login:$ ipa hbacsvcgroup-add Service group name: login -------------------------------- Added HBAC service group "login" -------------------------------- Service group name: loginUse the
ipa hbacsvcgroup-add-membercommand to add an HBAC service as a member of the group. For example, to add thesshdservice to the login group:$ ipa hbacsvcgroup-add-member Service group name: login [member HBAC service]: sshd Service group name: login Member HBAC service: sshd ------------------------- Number of members added 1 -------------------------
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}