此内容没有您所选择的语言版本。

22.3. Defining Host-Based Access Control Rules


Access controls, at a high level, define who has access to what. The who is an IdM user, and the what can be either a host (target host), service, or service group, or a combination of the three.

22.3.1. Setting Host-Based Access Control Rules in the Web UI

  1. Click the Policy tab.
  2. Click the Host-Based Access Control subtab, and then select the HBAC Rules link.
  3. Click the Add link at the top of the list of host-based access control rules.
  4. Enter the name for the rule.
  5. Click the Add and Edit button to go immediately to set the configuration for the rule.
    There are a number of configuration areas for the rule. The three basic elements are who the rule applies to, what hosts allow access (the target), and, optionally, what services can be accessed.
  6. In the Who area, select the users or user groups to which the access control rule is applied.
    To apply the rule to all IdM users, select the Anyone radio button.
    To apply the rule to a specific set of users or user groups:
    1. Select the Specified Users and Groups radio button.
    2. Click the + Add link at the right of the users list.
    3. Click the checkbox by the users to add to the rule, and click the right arrows button, >>, to move the users to the selection box.
    4. Click Add.
  7. In the Accessing area, select the target hosts which can be accessed through this access control rule.
    To apply the rule to all IdM hosts, select the Any Host radio button.
    To apply the rule to a specific set of hosts or host groups:
    1. Select the Specified Hosts and Groups radio button.
    2. Click the + Add link at the right of the hosts list.
    3. Click the checkbox by the hosts to include with the rule, and click the right arrows button, >>, to move the hosts to the selection box.
    4. Click Add.
  8. In the Via Service area, select specific services on the target hosts which the users are allowed to use to access target machines.
    To apply the rule to all IdM hosts, select the Any Service radio button.
    To apply the rule to a specific set of hosts or host groups:
    1. Select the Specified Services and Groups radio button.
    2. Click the + Add link at the right of the commands list.
    3. Click the checkbox by the services or groups to include with the rule, and click the right arrows button, >>, to move the services to the selection box.
    4. Click Add.

22.3.2. Setting Host-Based Access Control Rules in the Command Line

Access control rules are created using the hbacrule-* commands (listed in Table 22.1, “Host-Based Access Control Command and Options”). The first step is to create a container entry; from there, users, hosts, and services can be added to the access control entry.
The basic outline of all the access control commands is:
$ ipa hbacrule-add* options ruleName

Note

To set every user or every host as a target, use the category options, such as --usercat=all.

Example 22.1. Granting All Access to One Host

One simple rule is to grant every user access to a single server. The first command creates the entry and uses the category options to apply every user.
$ ipa hbacrule-add --usercat=all allGroup
--------------------------
Added HBAC rule "allGroup"
--------------------------
  Rule name: allGroup
  User category: all
  Enabled: TRUE
The second rule adds the target host, using the hbacrule-add-host command:
$ ipa hbacrule-add-host --hosts=server.example.com allGroup
  Rule name: allGroup
  User category: all
  Enabled: TRUE
  Successful hosts/hostgroups:
    member host: server.example.com
-------------------------
Number of members added 1
-------------------------

Example 22.2. Adding Control for a Single User to a Service

Another access control method is to specify which services users are allowed to use to access the target hosts.
First, for the user to have access to every machine, every host must be added as both a host and target. This can be done using the category options:
$ ipa hbacrule-add --hostcat=all sshd-jsmith
Since the access control rule applies to a specific user, the user is added to the rule using the hbacrule-add-user command:
$ ipa hbacrule-add-user --users=jsmith sshd-jsmith
Then, the service is added to the access control rule. (The service should have already been added to the access control system using the hbacsvc-add command.) This is the service that the user can use to connect to the machine.
$ ipa hbacrule-add-service --hbacsvcs=sshd sshd-jsmith

Example 22.3. Adding a Service Group to the Rule

While a single service can be added to a rule, it is also possible to add an entire service group. Like a single service, this uses the hbacrule-add-service command, only with the --hbacsvcgroups option that specifies the group name.
$ ipa hbacrule-add-service --hbacsvcgroups=login loginRule
Table 22.1. Host-Based Access Control Command and Options
Command Description Arguments Source or Target Entry
hbacrule-add Adds a new host-based access control rule.
  • --usercat=all, which applies the rule to every user
  • --hostcat=all, which sets every host as an allowed target server
  • --servicecat=all, which sets every configured service as an allowed target service
  • ruleName, which is the required unique identifier for the new rule
hbacrule-add-host Adds a target host to the access control rule. A target host can be accessed by other servers and users in the domain.
  • --hosts, which adds an individual server or command-separated list of servers as an allowed target server
  • --hostgroups, which adds a host group to the rule and every host within the host group is an allowed target server
  • ruleName, which is the rule to which to add the target server
Target
hbacrule-add-service Adds a service type to the rule.
  • --hbacsvcs, which adds an individual service type or a comma-separated list of service type as an allowed target service
  • --hbacsvcgroups, which adds a service group to the rule and every service within the service group is an allowed target service
  • ruleName, which is the rule to which to add the target service
Target
hbacrule-add-user Adds a user to the access control rule. The user is then able to access any allowed target host or service within the domain.
  • --users, which adds an individual user or command-separated list of users to the rule
  • --groups, which adds a user group to the rule and, thus, every user within the group
  • ruleName, which is the rule to which to add the user
Source
hbacrule-disable | hbacrule-enable Disables or enables a host-based access control rule. Rules can be disabled if their behavior needs to be evaluated (for troubleshooting or to test a new rule). ruleName, which is the rule to disable or enable
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.