[krbdev.mit.edu #7939] git commit
Benjamin Kaduk via RT
rt-comment at krbdev.mit.edu
Mon Jun 16 15:45:17 EDT 2014
Update the kadm5.acl example
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
https://github.com/krb5/krb5/commit/70b2ba4852913ceb2bdc9a57edd487da8230f813
Author: Ben Kaduk <kaduk at mit.edu>
Commit: 70b2ba4852913ceb2bdc9a57edd487da8230f813
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 34 ++++++++++++++++++----------------
1 files changed, 18 insertions(+), 16 deletions(-)
More information about the krb5-bugs
mailing list