krb5 commit: New documention for kadm5.acl

Zhanna A Tsitkova tsitkova at MIT.EDU
Fri Aug 3 10:44:02 EDT 2012


https://github.com/krb5/krb5/commit/3486a34645509d426a4c10c3f17a5e89e7de5cfd
commit 3486a34645509d426a4c10c3f17a5e89e7de5cfd
Author: Zhanna Tsitkov <tsitkova at mit.edu>
Date:   Fri Aug 3 10:45:00 2012 -0400

    New documention for kadm5.acl

 doc/rst_source/krb_admins/conf_files/index.rst     |    7 +-
 doc/rst_source/krb_admins/conf_files/kadm5_acl.rst |  135 ++++++++++++++++++++
 2 files changed, 139 insertions(+), 3 deletions(-)

diff --git a/doc/rst_source/krb_admins/conf_files/index.rst b/doc/rst_source/krb_admins/conf_files/index.rst
index d17564f..078a173 100644
--- a/doc/rst_source/krb_admins/conf_files/index.rst
+++ b/doc/rst_source/krb_admins/conf_files/index.rst
@@ -2,7 +2,8 @@ Configuration Files
 ===================
 
 .. toctree::
-   :maxdepth: 2
+   :maxdepth: 1
 
-   krb5_conf.rst
-   kdc_conf.rst
+   krb5_conf
+   kdc_conf
+   kadm5_acl
diff --git a/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
new file mode 100644
index 0000000..d34971c
--- /dev/null
+++ b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
@@ -0,0 +1,135 @@
+.. _kadm5.acl(5):
+
+kadm5.acl
+=========
+
+DESCRIPTION
+-----------
+
+The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List
+(ACL) file to manage access rights to the Kerberos database.
+For operations that affect principals, the ACL file also controls
+which principals can operate on which other principals.
+
+The default location of the Kerberos ACL file is
+|kdcdir|\ ``/kadm5.acl``  unless this is overridden by the *acl_file*
+variable in :ref:`kdc.conf(5)`.
+
+SYNTAX
+------
+
+Empty lines and lines starting with the sharp sign (``#``) are
+ignored.  Lines containing ACL entries have the format:
+
+ ::
+
+    principal  permissions  [target_principal]  [restrictions]
+
+Line order in the ACL file is important.  The first matching entry
+will control access for an actor principal on a target principal.
+
+*principal*
+    (Partially or fully qualified Kerberos principal name.) Specifies
+    the principal whose permissions are to be set.
+
+    Each component of the name may be wildcarded using the ``*``
+    character.
+
+*permissions*
+    Specifies what operations may or may not be performed by a
+    *principal* matching a particular entry.  This is a string of one or
+    more of the following list of characters or their upper-case
+    counterparts.  If the character is *upper-case*, then the operation
+    is disallowed.  If the character is *lower-case*, then the operation
+    is permitted.
+
+    == ======================================================
+    a  [Dis]allows the addition of principals or policies
+    c  [Dis]allows the changing of passwords for principals
+    d  [Dis]allows the deletion of principals or policies
+    i  [Dis]allows inquiries about principals or policies
+    l  [Dis]allows the listing of principals or policies
+    m  [Dis]allows the modification of principals or policies
+    p  [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`)
+    s  [Dis]allows the explicit setting of the key for a principal
+    x  Short for admcil. All privileges
+    \* Same as x.
+    == ======================================================
+
+
+*target_principal*
+    (Optional. Partially or fully qualified Kerberos principal name.)
+    Specifies the principal on which *permissions* may be applied.
+    Each component of the name may be wildcarded using the ``*``
+    character.
+
+    *target_principal* can also include back-references to *principal*,
+    in which ``*number`` matches the component number in *principal*.
+
+*restrictions*
+    (Optional) A string of flags. Allowed restrictions are:
+
+        {+\|-}\ *flagname*
+            flag is forced to indicated value.  The permissible flags
+            are the same as the + and - flags for the kadmin
+            :ref:`add_principal` and :ref:`modify_principal` commands.
+
+        *-clearpolicy*
+            policy is forced to clear.
+
+        *-policy pol*
+            policy is forced to be *pol*.
+
+        -{*expire, pwexpire, maxlife, maxrenewlife*} *time*
+            (:ref:`getdate` string) associated value will be forced to
+            MIN(*time*, requested value).
+
+    The above flags act as restrictions on any add or modify operation
+    which is allowed due to that ACL line.
+
+.. warning::
+    If the kadmind ACL file is modified, the kadmind daemon needs to be
+    restarted for changes to take effect.
+
+EXAMPLE
+-------
+
+Here is an example of a kadm5.acl file.
+
+ ::
+
+    */admin at ATHENA.MIT.EDU        *                           # line 1
+    joeadmin at ATHENA.MIT.EDU   ADMCIL                          # line 2
+    joeadmin/*@ATHENA.MIT.EDU il  */root at ATHENA.MIT.EDU       # line 3
+    *@ATHENA.MIT.EDU          cil *1/admin at ATHENA.MIT.EDU     # line 4
+    */*@ATHENA.MIT.EDU        i                               # line 5
+    */admin at EXAMPLE.COM       * -maxlife 9h -postdateable     # line 6
+
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
+an ``admin`` instance has all administrative privileges.
+
+(lines 2-3) The user ``joeadmin`` has all permissions with his
+``admin`` instance, ``joeadmin/admin at ATHENA.MIT.EDU`` (matches line
+2).  He has no permissions at all with his null instance,
+``joeadmin at ATHENA.MIT.EDU`` (matches line 3).  His root instance has
+inquire and list permissions with any other principal that has the
+instance root.
+
+(line 4) Any principal in ``ATHENA.MIT.EDU`` can inquire, list,
+or change the password of their ``admin`` instance, but not any other
+admin instance.  (Here, "\*1" denotes a back-reference to the first
+component of the actor principal.)
+
+(line 5) Any principal in the realm ``ATHENA.MIT.EDU`` (except for
+``joeadmin at ATHENA.MIT.EDU``, as mentioned above) has inquire
+privileges.
+
+(line 6) Finally, any principal with an ``admin`` instance in ``EXAMPLE.COM``
+has all permissions, but any principal that they create or modify will
+not be able to get postdateable tickets or tickets with a life of
+longer than 9 hours.
+
+SEE ALSO
+--------
+
+:ref:`kdc.conf(5)`, :ref:`kadmind(8)`


More information about the cvs-krb5 mailing list