[[linux_wiki:freeipa_report_access_user]]

FreeIPA Report Access User

General Information

Report what hosts a user has access to.

Checklist


The Script

report-access-user.sh
#!/bin/bash
# Name: report-access-user.sh
# Description: Report what hosts a user has access to.
# Last Modified: 2017-08-08
# Recent Changes:-Initial Release
###############################################################################################
 
##### Customize These Variables #####
# IPA admin user
admin_user="admin"
##### End of Customize Variables #####
 
#=====================================
# Functions; Main starts after
#=====================================
function show_usage
{
  echo -e "\n==== Report: User Access ===="
  echo -e "\nDescription: Report what hosts a user has to."
  echo -e "\n--Usage--"
  echo -e "./report-access-user.sh -u USERNAME"
  echo -e "\n-OPTIONS-"
  echo -e "-h                    => Display usage."
  echo -e "-u USERNAME           => Name of user to check access for."
  echo -e "\n--Other Requirements--"
  echo -e "-> FreeIPA admin access."
  echo -e
}
 
#=======================
# Get Script Arguments
#=======================
# Reset POSIX variable in case it has been used previously in this shell
OPTIND=1
 
while getopts "hu:" opt; do
  case "${opt}" in
    h) # -h (help) argument
      show_usage
      exit 0
    ;;
    u) #-u USERNAME argument
       user_name="${OPTARG}"
    ;;
    *) # invalid argument
      show_usage
      exit 0
    ;;
  esac
done
 
#===================
# Pre-checks: Make sure we have good options set
#===================
# See if we have a kerberos ticket, if not, prompt login
/usr/bin/klist -s
if [[ $? -ne 0 ]]; then
  echo ">>No kerberos ticket found for (${admin_user}), login as ${admin_user} now:"
  /usr/bin/kinit ${admin_user}
  echo
fi
 
#===================
# Main starts here
#===================
echo -e "================================================"
echo -e "####========= Report: User Access ==========####"
echo -e "================================================"
echo
echo -e "This script will report all hosts that a given user has access to."
 
## If no username given, prompt ##
if [[ -z "${user_name}" ]]; then
  echo -en "-> Username to check access for: "
  read user_name
fi
 
echo -e "-> Checking access for: ${user_name}"
ipa user-show ${user_name} > /dev/null 2>&1
if [[ $? -ne 0 ]]; then
  echo -e ">> ERROR! Was unable to get information on username: ${user_name}"
  echo -e ">> Ensure you have the correct username. Exiting..."
  exit 1
fi
 
#- Get all of the groups a user is a part of
user_groups="$(ipa user-show ${user_name} | awk -F: '/Member of groups/ {print $2}' | sed 's/,//g')"
 
# For each group, determine if it is part of a HBAC rule
for group in $(echo ${user_groups}); do
 
  echo -e "\n>> Group: ${group}"
 
  # Check if a group is in a HBAC Rule
  hbac_rules="$(ipa group-show ${group} | awk -F: '/Member of HBAC rule/ {print $2}' | sed 's/,//g')"
 
  if [[ -z ${hbac_rules} ]]; then
    # No rules found, move on to next group name
    echo -e "-> Group (${group}) is NOT in any HBAC rules." 
    continue
  fi
 
  # Group is a part of HBAC Rule(s), For each hbac rule check for system groups
  for rule in $(echo ${hbac_rules}); do
    echo -e "--> HBAC Rule: ${rule}"
 
    # Get all host groups
    host_groups="$(ipa hbacrule-show ${rule} | awk -F: '/Host Groups/ {print $2}' | sed 's/,//g')"
 
    if [[ -z ${host_groups} ]]; then
      # No host groups; Check to see if this is an "all" host group
      host_category="$(ipa hbacrule-show ${rule} | awk -F: '/Host category/ {print $2}' | sed 's/,//g')"
 
      if [[ $(echo ${host_category} | awk '{print $1}') == "all" ]]; then
        # Access is 'all' hosts, display that and move to the next rule
        echo -e "----> Host access is: All"
        continue
      else
        # Access is not configured, display that and move to the next rule
        echo -e "----> No host groups in rule and not set to access 'all' hosts either."
        continue
      fi
    fi
 
    # For each host group, display the associated hosts
    for hostgroup_name in $(echo ${host_groups}); do
      echo -e "----> Host Group: ${hostgroup_name}"
 
      # Get all hosts and display them
      host_names="$(ipa hostgroup-show ${hostgroup_name} | awk -F: '/Member hosts/ {print $2}')"
      echo -e "------> Hosts: ${host_names}\n"
    done # End of 'For each host group' loop
 
  done # End of 'For each hbac rule' loop
 
done # End of 'For each group' loop
 
echo -e "\n===================================="
echo -e "=- Report: User Access Completed. -="
echo -e "===================================="

  • linux_wiki/freeipa_report_access_user.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)