Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 22. Policy: Configuring Host-Based Access Control


IdM can control access to both machines and the services on those machines within the IdM domain. The rules define who can access what within the domain, not the level of access (which are defined by system or application settings). These access control rules grant access, with all other users and hosts implicitly denied.
This is called host-based access control because the rule defines what hosts (targets) within the domain a user is allowd to access. This access can be further broken down to users and services on those hosts.

Note

Using host-based access control requires SSSD to be installed and configured on the IdM client machine.

22.1. About Host-Based Access Control

Host-based access control rules (which are described in Chapter 22, Policy: Configuring Host-Based Access Control) can be applied to individual hosts. However, using host groups allows centralized, and potentially simplified, access control management because an access control rule only needs to be defined once and then it is applied immediately and consistently to all the hosts within the group.
Host Groups and Host-Based Access Control

Figure 22.1. Host Groups and Host-Based Access Control

Note

While access must be explicitly granted to users and hosts within the IdM domain, IdM servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain.
To create an IdM server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option.
The rule first defines things that can be accessed, and there are two types of entities:
  • Hosts, or target hosts, within the IdM domain.
  • Services on the target hosts. Multiple services can be combined into service groups. The service group can be modified without having to edit the access control rule itself.
The rule also sets who can have access (the IdM domain user).

Note

It is possible to use categories for users and target hosts instead of adding each one individually to the access control rule. The only supported category is all.
The entities in host-based access control rules follow the Kerberos principal entries: users, hosts (machines), and services. Users and target hosts can be added directly to host-based access control rules. However, services must be added to the host-based access control configuration first to make it available to rules, and then added to the access control rules.
Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.