此内容没有您所选择的语言版本。

Chapter 22. Policy: Configuring Host-Based Access Control


IdM can control access to both machines and the services on those machines within the IdM domain. The rules define who can access what within the domain, not the level of access (which are defined by system or application settings). These access control rules grant access, with all other users and hosts implicitly denied.
This is called host-based access control because the rule defines what hosts (targets) within the domain a user is allowd to access. This access can be further broken down to users and services on those hosts.

Note

Using host-based access control requires SSSD to be installed and configured on the IdM client machine.

22.1. About Host-Based Access Control

Host-based access control rules (which are described in Chapter 22, Policy: Configuring Host-Based Access Control) can be applied to individual hosts. However, using host groups allows centralized, and potentially simplified, access control management because an access control rule only needs to be defined once and then it is applied immediately and consistently to all the hosts within the group.
Host Groups and Host-Based Access Control

Figure 22.1. Host Groups and Host-Based Access Control

Note

While access must be explicitly granted to users and hosts within the IdM domain, IdM servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain.
To create an IdM server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option.
The rule first defines things that can be accessed, and there are two types of entities:
  • Hosts, or target hosts, within the IdM domain.
  • Services on the target hosts. Multiple services can be combined into service groups. The service group can be modified without having to edit the access control rule itself.
The rule also sets who can have access (the IdM domain user).

Note

It is possible to use categories for users and target hosts instead of adding each one individually to the access control rule. The only supported category is all.
The entities in host-based access control rules follow the Kerberos principal entries: users, hosts (machines), and services. Users and target hosts can be added directly to host-based access control rules. However, services must be added to the host-based access control configuration first to make it available to rules, and then added to the access control rules.
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.