[[linux_wiki:freeipa_report_access_user]]

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:freeipa_report_access_user [2019/05/26 03:50] (current)
Line 1: Line 1:
 +====== FreeIPA Report Access User ======
 +
 +**General Information**
 +
 +Report what hosts a user has access to.
 +
 +**Checklist**
 +  * Distro(s): Enterprise Linux 6/7
 +  * Other: [[http://​www.unixmen.com/​configure-freeipa-server-centos-7/​|FreeIPA Server Installed]] (script runs there)
 +
 +----
 +
 +====== The Script ======
 +
 +<code bash report-access-user.sh>​
 +#!/bin/bash
 +# Name: report-access-user.sh
 +# Description:​ Report what hosts a user has access to.
 +# Last Modified: 2017-08-08
 +# Recent Changes:​-Initial Release
 +###############################################################################################​
 +
 +##### Customize These Variables #####
 +# IPA admin user
 +admin_user="​admin"​
 +##### End of Customize Variables #####
 +
 +#​=====================================
 +# Functions; Main starts after
 +#​=====================================
 +function show_usage
 +{
 +  echo -e "​\n==== Report: User Access ===="
 +  echo -e "​\nDescription:​ Report what hosts a user has to."
 +  echo -e "​\n--Usage--"​
 +  echo -e "​./​report-access-user.sh -u USERNAME"​
 +  echo -e "​\n-OPTIONS-"​
 +  echo -e "​-h ​                   => Display usage."​
 +  echo -e "-u USERNAME ​          => Name of user to check access for."
 +  echo -e "​\n--Other Requirements--"​
 +  echo -e "-> FreeIPA admin access."​
 +  echo -e
 +}
 +
 +#​=======================
 +# Get Script Arguments
 +#​=======================
 +# Reset POSIX variable in case it has been used previously in this shell
 +OPTIND=1
 +
 +while getopts "​hu:"​ opt; do
 +  case "​${opt}"​ in
 +    h) # -h (help) argument
 +      show_usage
 +      exit 0
 +    ;;
 +    u) #-u USERNAME argument
 +       ​user_name="​${OPTARG}"​
 +    ;;
 +    *) # invalid argument
 +      show_usage
 +      exit 0
 +    ;;
 +  esac
 +done
 +
 +#​===================
 +# Pre-checks: Make sure we have good options set
 +#​===================
 +# See if we have a kerberos ticket, if not, prompt login
 +/​usr/​bin/​klist -s
 +if [[ $? -ne 0 ]]; then
 +  echo ">>​No kerberos ticket found for (${admin_user}),​ login as ${admin_user} now:"
 +  /​usr/​bin/​kinit ${admin_user}
 +  echo
 +fi
 +
 +#​===================
 +# Main starts here
 +#​===================
 +echo -e "​================================================"​
 +echo -e "####​========= Report: User Access ==========####"​
 +echo -e "​================================================"​
 +echo
 +echo -e "This script will report all hosts that a given user has access to."
 +
 +## If no username given, prompt ##
 +if [[ -z "​${user_name}"​ ]]; then
 +  echo -en "-> Username to check access for: "
 +  read user_name
 +fi
 +
 +echo -e "-> Checking access for: ${user_name}"​
 +ipa user-show ${user_name} > /dev/null 2>&1
 +if [[ $? -ne 0 ]]; then
 +  echo -e ">>​ ERROR! Was unable to get information on username: ${user_name}"​
 +  echo -e ">>​ Ensure you have the correct username. Exiting..."​
 +  exit 1
 +fi
 +
 +#- Get all of the groups a user is a part of
 +user_groups="​$(ipa user-show ${user_name} | awk -F: '/​Member of groups/ {print $2}' | sed '​s/,//​g'​)"​
 +
 +# For each group, determine if it is part of a HBAC rule
 +for group in $(echo ${user_groups});​ do
 +
 +  echo -e "​\n>>​ Group: ${group}"​
 +
 +  # Check if a group is in a HBAC Rule
 +  hbac_rules="​$(ipa group-show ${group} | awk -F: '/​Member of HBAC rule/ {print $2}' | sed '​s/,//​g'​)"​
 +
 +  if [[ -z ${hbac_rules} ]]; then
 +    # No rules found, move on to next group name
 +    echo -e "-> Group (${group}) is NOT in any HBAC rules." ​
 +    continue
 +  fi
 +
 +  # Group is a part of HBAC Rule(s), For each hbac rule check for system groups
 +  for rule in $(echo ${hbac_rules});​ do
 +    echo -e "​-->​ HBAC Rule: ${rule}"​
 +
 +    # Get all host groups
 +    host_groups="​$(ipa hbacrule-show ${rule} | awk -F: '/Host Groups/ {print $2}' | sed '​s/,//​g'​)"​
 +
 +    if [[ -z ${host_groups} ]]; then
 +      # No host groups; Check to see if this is an "​all"​ host group
 +      host_category="​$(ipa hbacrule-show ${rule} | awk -F: '/Host category/ {print $2}' | sed '​s/,//​g'​)"​
 +
 +      if [[ $(echo ${host_category} | awk '​{print $1}') == "​all"​ ]]; then
 +        # Access is '​all'​ hosts, display that and move to the next rule
 +        echo -e "​---->​ Host access is: All"
 +        continue
 +      else
 +        # Access is not configured, display that and move to the next rule
 +        echo -e "​---->​ No host groups in rule and not set to access '​all'​ hosts either."​
 +        continue
 +      fi
 +    fi
 +
 +    # For each host group, display the associated hosts
 +    for hostgroup_name in $(echo ${host_groups});​ do
 +      echo -e "​---->​ Host Group: ${hostgroup_name}"​
 +
 +      # Get all hosts and display them
 +      host_names="​$(ipa hostgroup-show ${hostgroup_name} | awk -F: '/​Member hosts/ {print $2}'​)"​
 +      echo -e "​------>​ Hosts: ${host_names}\n"​
 +    done # End of 'For each host group' loop
 +
 +  done # End of 'For each hbac rule' loop
 +
 +done # End of 'For each group' loop
 +
 +echo -e "​\n===================================="​
 +echo -e "=- Report: User Access Completed. -="
 +echo -e "​===================================="​
 +</​code>​
 +
 +----
  
  • linux_wiki/freeipa_report_access_user.txt
  • Last modified: 2019/05/26 03:50
  • (external edit)