Host-based Access Control (HBAC) Examples

HBAC rules allow to define policies to control how hosts and services are accessed based on the user, user’s group or host that is attempting to access.

• Host-based Access Control (HBAC) Examples

  • Creating an HBAC rule

  • Managing members of a HBAC rule

  • Managing targets of a HBAC rule

  • Testing a HBAC rule

  • Enabling and disabling HBAC rules

Creating an HBAC rule

Create a base rule that will handle SSH service access.

api.Command.hbacrule_add("sshd_rule")

Managing members of a HBAC rule

Add user john to the previously created HBAC rule.

api.Command.hbacrule_add_user("sshd_rule", user="john")

Additionally, you can set access based on groups:

api.Command.hbacrule_add_user("sshd_rule", group="developers")

Remove user john from the HBAC rule.

api.Command.hbacrule_remove_user("sshd_rule", user="john")

Managing targets of a HBAC rule

After we have created the rule and set the members, targets must be registered before being added to the rule.

Adding a new HBAC service.

api.Command.hbacsvc_add("chronyd")

Services must be attached to rules. Attach the sshd service to the previously created rule. This service is registered in IPA by default, so there’s no need to add it with hbacsvc_add before.

api.Command.hbacrule_add_service("sshd_rule", hbacsvc="sshd")

Hosts can be added as targets as well. Allow the SSH service to be accessed only in the hosts part of the workstations hostgroup.

api.Command.hbacrule_add_host("sshd_rule", hostgroup="workstations")

Testing a HBAC rule

Simulate the use of the rule we previously created, against the host workstation.ipa.test, the service sshd coming from the user john.

api.Command.hbactest(user="john", targethost="workstation.ipa.test", service="sshd", rules="sshd_rule")

Enabling and disabling HBAC rules

Enable a HBAC rule.

api.Command.hbacrule_enable("sshd_rule")

Disable a HBAC rule.

api.Command.hbacrule_disable("sshd_rule")