20.5. 在 CLI 上创建 sudo 规则，以作为 IdM 客户端上的服务帐户运行命令

步骤

1. 获取 Kerberos 票据作为 IdM admin。

   [root@idmclient ~]# kinit admin

   Copy to Clipboard Toggle word wrap

2. 将 /opt/third-party-app/bin/report 命令添加到 sudo 命令的 IdM 数据库：

   [root@idmclient ~]# ipa sudocmd-add /opt/third-party-app/bin/report
   ----------------------------------------------------
   Added Sudo Command "/opt/third-party-app/bin/report"
   ----------------------------------------------------
     Sudo Command: /opt/third-party-app/bin/report

   Copy to Clipboard Toggle word wrap

3. 创建一个名为 run_third-party-app_report 的 sudo 规则：

   [root@idmclient ~]# ipa sudorule-add run_third-party-app_report
   --------------------------------------------
   Added Sudo Rule "run_third-party-app_report"
   --------------------------------------------
     Rule name: run_third-party-app_report
     Enabled: TRUE

   Copy to Clipboard Toggle word wrap

4. 使用 --users=<user> 选项来为 sudorule-add-runasuser 命令指定 RunAs 用户：

   [root@idmclient ~]# ipa sudorule-add-runasuser run_third-party-app_report --users=thirdpartyapp
     Rule name: run_third-party-app_report
     Enabled: TRUE
     RunAs External User: thirdpartyapp
   -------------------------
   Number of members added 1
   -------------------------

   Copy to Clipboard Toggle word wrap

   用户（或使用 --groups=* 选项指定 的组）可以是 IdM 的外部用户，如本地服务帐户或活动目录用户。不要为组名称添加 % 前缀。

5. 将 /opt/third-party-app/bin/report 命令添加到 run_third-party-app_report 规则中：

   [root@idmclient ~]# ipa sudorule-add-allow-command run_third-party-app_report --sudocmds '/opt/third-party-app/bin/report'
   Rule name: run_third-party-app_report
   Enabled: TRUE
   Sudo Allow Commands: /opt/third-party-app/bin/report
   RunAs External User: thirdpartyapp
   -------------------------
   Number of members added 1
   -------------------------

   Copy to Clipboard Toggle word wrap

6. 将 run_third- party-app_report 规则应用到 IdM idmclient 主机：

   [root@idmclient ~]# ipa sudorule-add-host run_third-party-app_report --hosts idmclient.idm.example.com
   Rule name: run_third-party-app_report
   Enabled: TRUE
   Hosts: idmclient.idm.example.com
   Sudo Allow Commands: /opt/third-party-app/bin/report
   RunAs External User: thirdpartyapp
   -------------------------
   Number of members added 1
   -------------------------

   Copy to Clipboard Toggle word wrap

7. 将 idm_user 帐户添加到 run_third- party-app_report 规则中：

   [root@idmclient ~]# ipa sudorule-add-user run_third-party-app_report --users idm_user
   Rule name: run_third-party-app_report
   Enabled: TRUE
   Users: idm_user
   Hosts: idmclient.idm.example.com
   Sudo Allow Commands: /opt/third-party-app/bin/report
   RunAs External User: thirdpartyapp
   -------------------------
   Number of members added 1

   Copy to Clipboard Toggle word wrap

验证

1. 以 idm_user 帐户身份登录 idmclient 主机。

2. 测试新的 sudo 规则：

   1. 显示允许 idm_user 帐户执行的 sudo 规则。

      [idm_user@idmclient ~]$ sudo -l
      Matching Defaults entries for idm_user@idm.example.com on idmclient:
          !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
          env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
          env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
          env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
          env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
          env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY KRB5CCNAME",
          secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
      
      User idm_user@idm.example.com may run the following commands on idmclient:
          (thirdpartyapp) /opt/third-party-app/bin/report

      Copy to Clipboard Toggle word wrap

   2. 作为 thirdpartyapp 服务帐户，运行 report 命令。

      [idm_user@idmclient ~]$ sudo -u thirdpartyapp /opt/third-party-app/bin/report
      [sudo] password for idm_user@idm.example.com:
      Executing report...
      Report successful.

      Copy to Clipboard Toggle word wrap