krb5 commit: New documention for kadm5.acl
Zhanna A Tsitkova
tsitkova at MIT.EDU
Fri Aug 3 10:44:02 EDT 2012
https://github.com/krb5/krb5/commit/3486a34645509d426a4c10c3f17a5e89e7de5cfd
commit 3486a34645509d426a4c10c3f17a5e89e7de5cfd
Author: Zhanna Tsitkov <tsitkova at mit.edu>
Date: Fri Aug 3 10:45:00 2012 -0400
New documention for kadm5.acl
doc/rst_source/krb_admins/conf_files/index.rst | 7 +-
doc/rst_source/krb_admins/conf_files/kadm5_acl.rst | 135 ++++++++++++++++++++
2 files changed, 139 insertions(+), 3 deletions(-)
diff --git a/doc/rst_source/krb_admins/conf_files/index.rst b/doc/rst_source/krb_admins/conf_files/index.rst
index d17564f..078a173 100644
--- a/doc/rst_source/krb_admins/conf_files/index.rst
+++ b/doc/rst_source/krb_admins/conf_files/index.rst
@@ -2,7 +2,8 @@ Configuration Files
===================
.. toctree::
- :maxdepth: 2
+ :maxdepth: 1
- krb5_conf.rst
- kdc_conf.rst
+ krb5_conf
+ kdc_conf
+ kadm5_acl
diff --git a/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
new file mode 100644
index 0000000..d34971c
--- /dev/null
+++ b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst
@@ -0,0 +1,135 @@
+.. _kadm5.acl(5):
+
+kadm5.acl
+=========
+
+DESCRIPTION
+-----------
+
+The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List
+(ACL) file to manage access rights to the Kerberos database.
+For operations that affect principals, the ACL file also controls
+which principals can operate on which other principals.
+
+The default location of the Kerberos ACL file is
+|kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file*
+variable in :ref:`kdc.conf(5)`.
+
+SYNTAX
+------
+
+Empty lines and lines starting with the sharp sign (``#``) are
+ignored. Lines containing ACL entries have the format:
+
+ ::
+
+ principal permissions [target_principal] [restrictions]
+
+Line order in the ACL file is important. The first matching entry
+will control access for an actor principal on a target principal.
+
+*principal*
+ (Partially or fully qualified Kerberos principal name.) Specifies
+ the principal whose permissions are to be set.
+
+ Each component of the name may be wildcarded using the ``*``
+ character.
+
+*permissions*
+ Specifies what operations may or may not be performed by a
+ *principal* matching a particular entry. This is a string of one or
+ more of the following list of characters or their upper-case
+ counterparts. If the character is *upper-case*, then the operation
+ is disallowed. If the character is *lower-case*, then the operation
+ is permitted.
+
+ == ======================================================
+ a [Dis]allows the addition of principals or policies
+ c [Dis]allows the changing of passwords for principals
+ d [Dis]allows the deletion of principals or policies
+ i [Dis]allows inquiries about principals or policies
+ l [Dis]allows the listing of principals or policies
+ m [Dis]allows the modification of principals or policies
+ p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`)
+ s [Dis]allows the explicit setting of the key for a principal
+ x Short for admcil. All privileges
+ \* Same as x.
+ == ======================================================
+
+
+*target_principal*
+ (Optional. Partially or fully qualified Kerberos principal name.)
+ Specifies the principal on which *permissions* may be applied.
+ Each component of the name may be wildcarded using the ``*``
+ character.
+
+ *target_principal* can also include back-references to *principal*,
+ in which ``*number`` matches the component number in *principal*.
+
+*restrictions*
+ (Optional) A string of flags. Allowed restrictions are:
+
+ {+\|-}\ *flagname*
+ flag is forced to indicated value. The permissible flags
+ are the same as the + and - flags for the kadmin
+ :ref:`add_principal` and :ref:`modify_principal` commands.
+
+ *-clearpolicy*
+ policy is forced to clear.
+
+ *-policy pol*
+ policy is forced to be *pol*.
+
+ -{*expire, pwexpire, maxlife, maxrenewlife*} *time*
+ (:ref:`getdate` string) associated value will be forced to
+ MIN(*time*, requested value).
+
+ The above flags act as restrictions on any add or modify operation
+ which is allowed due to that ACL line.
+
+.. warning::
+ If the kadmind ACL file is modified, the kadmind daemon needs to be
+ restarted for changes to take effect.
+
+EXAMPLE
+-------
+
+Here is an example of a kadm5.acl file.
+
+ ::
+
+ */admin at ATHENA.MIT.EDU * # line 1
+ joeadmin at ATHENA.MIT.EDU ADMCIL # line 2
+ joeadmin/*@ATHENA.MIT.EDU il */root at ATHENA.MIT.EDU # line 3
+ *@ATHENA.MIT.EDU cil *1/admin at ATHENA.MIT.EDU # line 4
+ */*@ATHENA.MIT.EDU i # line 5
+ */admin at EXAMPLE.COM * -maxlife 9h -postdateable # line 6
+
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
+an ``admin`` instance has all administrative privileges.
+
+(lines 2-3) The user ``joeadmin`` has all permissions with his
+``admin`` instance, ``joeadmin/admin at ATHENA.MIT.EDU`` (matches line
+2). He has no permissions at all with his null instance,
+``joeadmin at ATHENA.MIT.EDU`` (matches line 3). His root instance has
+inquire and list permissions with any other principal that has the
+instance root.
+
+(line 4) Any principal in ``ATHENA.MIT.EDU`` can inquire, list,
+or change the password of their ``admin`` instance, but not any other
+admin instance. (Here, "\*1" denotes a back-reference to the first
+component of the actor principal.)
+
+(line 5) Any principal in the realm ``ATHENA.MIT.EDU`` (except for
+``joeadmin at ATHENA.MIT.EDU``, as mentioned above) has inquire
+privileges.
+
+(line 6) Finally, any principal with an ``admin`` instance in ``EXAMPLE.COM``
+has all permissions, but any principal that they create or modify will
+not be able to get postdateable tickets or tickets with a life of
+longer than 9 hours.
+
+SEE ALSO
+--------
+
+:ref:`kdc.conf(5)`, :ref:`kadmind(8)`
More information about the cvs-krb5
mailing list