Product SiteDocumentation Site

Chapter 14. Policy: Configuring Host-Based Access Control

14.1. About Host-Based Access Control
14.2. Creating Host-Based Access Control Entries for Services and Service Groups
14.2.1. Adding HBAC Services
14.2.2. Adding Service Groups
14.3. Defining Host-Based Access Control Rules
14.3.1. Setting Host-Based Access Control Rules in the Web UI
14.3.2. Setting Host-Based Access Control Rules in the Command Line
14.4. Testing Host-Based Access Control Rules
14.4.1. The Limits of Host-Based Access Control Configuration
14.4.2. Test Scenarios for Host-Based Access Control (CLI-Based)
14.4.3. Testing Host-Based Access Control Rules in the UI
FreeIPA can control access to both machines and the services on those machines within the FreeIPA domain. The rules define who can access what within the domain, not the level of access (which are defined by system or application settings). These access control rules grant access, with all other users and hosts implicitly denied.
This is called host-based access control because the rule defines what hosts (source) are allowed to access other hosts (targets) within the domain. This access can be further broken down to users and services.


Using host-based access control requires SSSD to be installed and configured on the FreeIPA client machine.

14.1. About Host-Based Access Control

Host-based access control rules (which are described in Chapter 14, Policy: Configuring Host-Based Access Control) can be applied to individual hosts. However, using host groups allows centralized, and potentially simplified, access control management because an access control rule only needs to be defined once and then it is applied immediately and consistently to all the hosts within the group.
Host Groups and Host-Based Access Control
Figure 14.1. Host Groups and Host-Based Access Control


While access must be explicitly granted to users and hosts within the FreeIPA domain, FreeIPA servers are configured by default with an allow all access control rule which allows access for every host within the domain to every host within the domain.
To create an FreeIPA server without the default allow all rule, run ipa-server-install with the --no_hbac_allow option.
The rule first defines things that can be accessed, and there are two types of entities:
  • Hosts, or target hosts, within the FreeIPA domain.
  • Services on the target hosts. Multiple services can be combined into service groups. The service group can be modified without having to edit the access control rule itself.
The rule also sets who can have access (the FreeIPA domain user) and what they can use to access the targets (the source host).


It is possible to use categories for users, source hosts, and target hosts instead of adding each one individually to the access control rule. The only supported category is all.
The entities in host-based access control rules follow the Kerberos principal entries: users, hosts (machines), and services. Users, source hosts, and target hosts can be added directly to host-based access control rules. However, services must be flagged first and then added to the access control rules.