Ticket #1018 (closed defect: fixed)

Opened 3 years ago

Last modified 2 years ago

HBAC rule evaluation does not properly handle host groups

Reported by: sgallagh Owned by: somebody
Priority: blocker Milestone: SSSD 1.5.14
Component: IPA Provider Version: 1.5.1
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: yes Red Hat Bugzilla: 741751
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description (last modified by sgallagh) (diff)

https://bugzilla.redhat.com/show_bug.cgi?id=741751

Description of problem:
HBAC rules configured on a FreeIPA server can be set up to limit access to particular hosts or groups of hosts. There is a bug in SSSD that fails to properly process host-groups. The effect of this is that users cannot log into the machine unless it is specified explicitly (instead of as a member of a hostgroup) in the rule.

Version-Release number of selected component (if applicable):
sssd-1.5.1-52.el6

How reproducible:
Every time

Steps to Reproduce:
1. On the FreeIPA server, create a hostgroup and add a host to it.
2. Create an HBAC rule that allows access based on the hostgroup above (set all other features of the rule to the ALL hostcat for easy testing.
3. Disable all other rules (so only this one is active).
4. On the client host, attempt to log in with a valid FreeIPA user.
  
Actual results:
The user is denied.

Expected results:
The user is granted access.


Additional info:

Change History

comment:1 Changed 3 years ago by sgallagh

  • Resolution set to fixed
  • Patch Submitted set
  • Tests Updated unset
  • Description modified (diff)
  • upgrade set to 0
  • tests set to 0
  • Status changed from new to closed

comment:2 Changed 2 years ago by mkosek

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=741751 741751]
Note: See TracTickets for help on using tickets.