Chapter 8. eurephiadm access management

8.1. Granting admin access
8.2. Revoking admin access

In this tutorial, John Doe is the administrator and the one who has done all the operations. He is the one who needed to authenticate himself with username and password, at least once during these examples. When eurephia was initialised via the eurephia_init utility, it asked for username and password for an administrator and it then granted access to all eurephiadm modules to this user. We have added 3 more users and none of these three users have access to the eurephiadm utility. You can allow each user account to be allowed to do some or all operations we have covered so far. To do so, we need to have a look at the eurephiadm adminaccess command.

user@host:~ $ eurephiadm adminaccess --help
User: john.doe
Password: ........
Available modes for the adminaccess command are:

     -G | --grant       Grant a specific access level to a user
     -R | --revoke      Revoke access levels
     -l | --list        List all granted access levels
     -h | --help <mode> Help about a specific mode

user@host:~ $ eurephiadm adminaccess --list
  [uid] Username                       Intf.    Access level
 ------------------------------------------------------------------------------
   [  1] john.doe                       C       attempts
                                        C       blacklist
                                        C       certadmin
                                        C       config
                                        C       fwprofiles
                                        C       useradmin
 ------------------------------------------------------------------------------
user@host:~ $

Lets have a look at the different access levels we have available.

attempts
This access level grants access to the attempts command. The attempts command can list, reset or delete login attempts records in the database.
blacklist
This is somewhat similar to the attempts access. It provides access to the blacklist command, where you can list, add or delete blacklisted usernames, certificate digests or IP addresses.
certadmin
This level is needed to use the certs command. This commands provides you access to list, add or delete certificate information which eurephia plug-in will use during the authentication process.
config
This level grants access to the config and show-config commands. The latter command will list out both the eurephiadm config file and all configuration parameters in the database. The config command is used to set or delete configuration parameters in the database.
fwprofiles
This access level is needed to list, add or delete firewall profiles eurephia which may use.
useradmin
This provides access to the users and usercerts commands, which is used to create or delete user accounts and link the user accounts together with a certificate and a firewall access profile.

You might have noticed the column "Intf" (Interface) in the listing above. At the moment, eurephia only supports one interface, C which is used for console. The console interface is what eurephiadm uses. In the future other interfaces will come, and you will then have a fine grained access control to which administration features each user may use.

8.1. Granting admin access

Lets give Jane Doe access to administer the attempts and blacklist records in eurephia.

user@host:~ $ eurephiadm adminaccess --grant --help
The grant mode will grant a user access to a specified access level.

     -i | --uid          User account ID
     -I | --interface    Grant access through which interface (default 'C')
     -a | --access-level Grant access which access level

user@host:~ $

When listing all the user accounts (eurephiadm users --list), we can see that Jane have the user ID 3. The default interface will be set to 'C', which also is the only supported interface, so we will ignore that argument for now. And the last option we need to know is the access levels we want to grant.

user@host:~ $ eurephiadm adminaccess --grant --uid 3 -a attempts
eurephia::UserAdmin: Access level granted

user@host:~ $ eurephiadm adminaccess --grant --uid 3 -a blacklist
eurephia::UserAdmin: Access level granted

user@host:~ $ eurephiadm adminaccess --list
  [uid] Username                       Intf.    Access level
 ------------------------------------------------------------------------------
   [  1] john.doe                       C       attempts
                                        C       blacklist
                                        C       certadmin
                                        C       config
                                        C       fwprofiles
                                        C       useradmin

   [  3] jane.doe                       C       attempts
                                        C       blacklist
 ------------------------------------------------------------------------------
user@host:~ $