Subject: Grouper Users - Open Discussion List
- From: Tom Poage <>
- To: "" <>
- Subject: Re: [grouper-users] Modeling NIS netgroup?
- Date: Wed, 28 Dec 2016 22:22:31 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Thank you Chris and Tom B.
Your ideas and comments have given me plenty to think about, and what I might
focus on initially.
Still absorbing (videos, docs, ...),
> On Dec 28, 2016, at 9:21 AM, Tom Barton
> Hi Tom P,
> Our design at UChicago for managing privileged access to systems uses a
> combination of several things, and I wondered if it might help you to think
> about the role grouper should play in that.
> Grouper groups that contain system or application admins are managed by
> each team's supervisor/lead. These groups are used to limit user access
> either to a bastion host or "jump server" with local config that limits to
> which servers it can connect, or to an admin vpn on which a policy
> similarly limits the set of servers that users in each group can connect
> to. Either way, as the server populations change some firewall-ish changes
> are made on these privileged access devices, and as the sys/app admin
> population changes the grouper groups are updated. This approach also has
> some other benefits such as enforcing 2FA and closer monitoring and other
> security measures for privileged access to systems.
> Tom B
> On 12/28/2016 10:50 AM, Hyzer, Chris wrote:
>> You could model this in grouper permissions.
>> The people would be groups.
>> The servers would be resources (and can be hierarchical).
>> Do something with actions? Maybe the group name is the action? Or maybe
>> just use "assign"?
>> To get them into LDAP maybe have a loader job that reads the permissions
>> and sets up groups for you (then the pspng will take it from there). This
>> could run hourly or however often.
>> This would be pretty straightforward to setup if you need help let me know.
>> -----Original Message-----
>> On Behalf Of Tom Poage
>> Sent: Tuesday, December 27, 2016 4:45 PM
>> Subject: Re: [grouper-users] Modeling NIS netgroup?
>> Hi, Michael.
>> That'd be close.
>> Something tells me to add one level of indirection, though that may be
>> because I don't completely understand Grouper capabilities yet.
>> E.g. let's say I want to restrict ssh access to SIS servers to the set of
>> sysadmins. Somewhere in there I might want to model a group containing the
>> pool of servers which come and go over time, and another group of
>> individuals belonging to the sysadmin group, likewise who come and go.
>> Maybe the simple thing to do is forget the servers and simply push
>> (CFEngine, Puppet, ...) the "plussed" NIS group to /etc/password on
>> subject servers with e.g.
>> making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it
>> at that. Not pretty, but perhaps functional.
>>> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes
>>> Hi Tom,
>>> Would the name of the group having the hostname and the group itself
>>> being the population do the trick?
>>> App:Unix:Netgroup:x.y.edu or something else to your liking? The
>>> resulting group could, of course, be the by product of other reference
>>> groups and include/exclude compositing to support allow/deny scenarios.
>>>> On Dec 27, 2016, at 11:22, Tom Poage
>>>> Grouper newbie.
>>>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>>>> name (user,machine,domain) (user,machine,domain) ...
>>>> I think we could do without the domain, so it'd basically be the
>>>> intersection of groups of machines and groups of users.
>>>> If so, what did the model look like, and did you build an adapter to
>>>> create the NIS map directly, or e.g. push to LDAP?
>>>> Of course, there are several other ways to accomplish authZ for shell
>>>> access, such as SSSD w/ PAM, ....
- [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Tom Poage, 12/27/2016
- Re: [grouper-users] Modeling NIS netgroup?, Michael R. Gettes, 12/27/2016
Archive powered by MHonArc 2.6.19.