[38672] in Kerberos
Re: kadmin ignoring target column ?
daemon@ATHENA.MIT.EDU (Laura Smith)
Mon Jan 13 11:54:52 2020
Date: Mon, 13 Jan 2020 16:54:13 +0000
To: Greg Hudson <ghudson@mit.edu>
From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Message-ID: <OodVxybV_EmEuT5k4EfPOXw9TsWdSuSEJUSOVY9cP54Omz9EeF-kpSSpiJau8NkmYCwK3li0XOgRju-YGUIUi4ydXY7ib4PT0MOMBsGUHgc=@protonmail.ch>
In-Reply-To: <b1b59f13-cb58-eca3-6fce-3ef5e4401b8c@mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Reply-To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 4:19 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 1/13/20 3:44 AM, Laura Smith wrote:
>
> > Am aware of the list ordering requirement, and to that extent the ACL entry in question was quite deliberately placed at the top.
>
> kadmind will continue on if the operation's target doesn't match the
> entry's target. So if you have a later entry for, say, "/admin ",
> then the line "saltstack/admin ADMCIL nfs/" would serve to deny access
> to nfs/ principals (because of the uppercase permission bits), butwould have no effect on other target principals, or on operations with
> no target like list_principals.
>
> The documentation could probably be clarified here; it talks about "the
> first matching entry", but doesn't say what has to match.
Aah, so are we saying I should try something like :
saltstack/admin admcil nfs/*
saltstack/admin ADMCIL *
Bescially my end goal is to allow saltstack/admin to do what it likes (within reason) for nfs/* but keep it well away from anything more "important" (such as */admin).
>
> > admcil nfs/@KRBTEST.COM, are you saying I should not be putting the wildcard asterisk after nfs/ ?
>
> The wildcard asterix was there in the mail I sent out (I checked my
> outgoing mail), but was apparently mangled by a piece of email software.
Yes, you're right. Have read your original and indeed asterisk is there.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
