rbac-lookup

Lookup Kubernetes RBAC permissions for users/groups

TLDR

View all RBAC bindings

$ rbac-lookup

View RBAC bindings that match a given expression

$ rbac-lookup [search_term]

View all RBAC bindings along with the source role binding

$ rbac-lookup [[-o|--output]] wide

View all RBAC bindings filtered by subject

$ rbac-lookup [[-k|--kind]] [user|group|serviceaccount]

View all RBAC bindings along with IAM roles (if you are using GKE)

$ rbac-lookup --gke

SYNOPSIS

rbac-lookup [OPTIONS]
Example: rbac-lookup --user=jsmith
Example: rbac-lookup --host=webserver.example.com --extop=DNSSEC

--user=USER
    Specifies the user principal for whom to look up permissions.

--host=HOST
    Specifies the host principal for which to look up permissions.

--service=SERVICE
    Specifies the service principal (e.g., HTTP/server.example.com) for which to look up permissions.

--extop=EXTOP
    Filters the lookup to show permissions related to a specific extended operation (e.g., DNSSEC).

--rule=RULE
    Displays permissions granted by a specific RBAC rule, by its name.

--all
    Displays all matching rules, not just the effective permissions.

--permissions
    Lists only the effective permissions, without additional rule details.

--verbose
    Provides more detailed output, including the rules granting the permissions.

DESCRIPTION

The rbac-lookup command is a crucial utility within the FreeIPA identity and access management system. It allows administrators to query and understand the effective Role-Based Access Control (RBAC) permissions for a given user, host, or service principal. Instead of just listing assigned roles, rbac-lookup resolves the actual permissions that are granted by those roles and associated rules. This is particularly useful for auditing, troubleshooting access issues, and verifying that security policies are correctly applied. It can show which rules grant specific permissions to principals, helping to trace the source of an access grant or denial.

CAVEATS

Requires an active Kerberos ticket or FreeIPA authentication to run effectively.
Only works against a FreeIPA server.
The output can be extensive depending on the number of rules and principals involved.
Understanding the output often requires familiarity with FreeIPA's RBAC concepts (permissions, privileges, roles, rules).

PURPOSE OF RBAC LOOKUP

Unlike simply listing roles a user belongs to, rbac-lookup performs a full evaluation of all rules, roles, and privileges to show the exact permissions that are effective for a principal in a given context. This is crucial for security auditing and troubleshooting "access denied" scenarios.

HISTORY

The rbac-lookup command was introduced as part of the FreeIPA project, which aims to provide an integrated identity and authentication solution for Linux/UNIX environments. As FreeIPA's RBAC capabilities matured, a dedicated tool was needed to effectively debug and verify complex permission assignments. rbac-lookup filled this need, becoming an essential utility for administrators to gain insight into the runtime application of RBAC policies, especially in larger, more intricate FreeIPA deployments.