Host-based Access Control (HBAC) Examples#

HBAC rules allow to define policies to control how hosts and services are accessed based on the user, user’s group or host that is attempting to access.

Creating an HBAC rule#

Create a base rule that will handle SSH service access.

api.Command.hbacrule_add("sshd_rule")

Managing members of a HBAC rule#

Add user john to the previously created HBAC rule.

api.Command.hbacrule_add_user("sshd_rule", user="john")

Additionally, you can set access based on groups:

api.Command.hbacrule_add_user("sshd_rule", group="developers")

Remove user john from the HBAC rule.

api.Command.hbacrule_remove_user("sshd_rule", user="john")

Managing targets of a HBAC rule#

After we have created the rule and set the members, targets must be registered before being added to the rule.

Adding a new HBAC service.

api.Command.hbacsvc_add("chronyd")

Services must be attached to rules. Attach the sshd service to the previously created rule. This service is registered in IPA by default, so there’s no need to add it with hbacsvc_add before.

api.Command.hbacrule_add_service("sshd_rule", hbacsvc="sshd")

Hosts can be added as targets as well. Allow the SSH service to be accessed only in the hosts part of the workstations hostgroup.

api.Command.hbacrule_add_host("sshd_rule", hostgroup="workstations")

Testing a HBAC rule#

Simulate the use of the rule we previously created, against the host workstation.ipa.test, the service sshd coming from the user john.

api.Command.hbactest(user="john", targethost="workstation.ipa.test", service="sshd", rules="sshd_rule")

Enabling and disabling HBAC rules#

Enable a HBAC rule.

api.Command.hbacrule_enable("sshd_rule")

Disable a HBAC rule.

api.Command.hbacrule_disable("sshd_rule")