eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when an automation job must prove a user, host, and service tuple is allowed before continuing.

Boundary
Preflight
Authority
idm, collection
Evidence
command-output

Test HBAC access

When To Use This

Use this when an automation job must prove a user, host, and service tuple is allowed before continuing.

Required Authority

IdM owns HBAC policy. The lookup runs IdM hbactest and returns the decision.

Safety Boundary

This workflow is preflight. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Inputs

  • Named target objects
  • Credentials with the required IdM or platform authority
  • A reviewed output path or downstream task

Steps

  1. Confirm the target objects and authority before running.
  2. Run the command or task with review-friendly output.
  3. Inspect the returned evidence before continuing to any mutating step.
lookup('eigenstate.ipa.hbacrule',
       'automation-svc',
       operation='test',
       targethost='client01.example.com',
       service='sshd',
       server='idm-01.example.com',
       kerberos_keytab='/runner/env/ipa/automation.keytab')

Example HBAC Gate

This playbook uses IdM HBAC test output as a preflight gate before deployment tasks run.

test-hbac.yml

---
- name: Verify automation account HBAC access
  hosts: app_servers
  gather_facts: false
  tasks:
    - name: Test whether automation can use sshd on the target
      ansible.builtin.set_fact:
        access: >-
          {{ lookup('eigenstate.ipa.hbacrule',
                    'automation-svc',
                    operation='test',
                    targethost=inventory_hostname,
                    service='sshd',
                    server='idm-01.example.com',
                    kerberos_keytab='/runner/env/ipa/automation.keytab') }}
      delegate_to: localhost

    - name: Stop if HBAC would deny the automation account
      ansible.builtin.assert:
        that:
          - not access.denied
        fail_msg: "HBAC denied automation-svc on {{ inventory_hostname }}."

Run It

ansible-playbook -i inventory.eigenstate_ipa.yml test-hbac.yml

Expected Evidence

The lookup returns an HBAC allow/deny decision object and the rule set evaluated on IdM.

{
  "targethost": "client01.example.com",
  "service": "sshd",
  "denied": false,
  "matched": [
    "ops-ssh"
  ],
  "notmatched": [
    "ops-db"
  ]
}

Troubleshooting

  • Permission failure: verify the account and delegated authority.
  • Unexpected empty result: verify target names and source records.
  • Unsafe output: redact payloads and add no_log: true where secret material is present.