krb5 commit: Clarify "all privileges" in kadm5.acl docs

[Greg Hudson]

https://github.com/krb5/krb5/commit/72a4b0af1a6cd07eee178cf3ff1df0e0857f5312
commit 72a4b0af1a6cd07eee178cf3ff1df0e0857f5312
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jun 28 18:06:29 2017 -0400

    Clarify "all privileges" in kadm5.acl docs
    
    In the kadm5.acl example, be more careful about saying "all
    privileges", as the recently added extract privilege is not covered by
    "*" or "x".
    
    ticket: 8594 (new)
    target_version: 1.15-next
    tags: pullup

 doc/admin/conf_files/kadm5_acl.rst |   27 ++++++++++++++-------------
 1 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst
index d23fb8a..138a2d7 100644
--- a/doc/admin/conf_files/kadm5_acl.rst
+++ b/doc/admin/conf_files/kadm5_acl.rst
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
     */root at ATHENA.MIT.EDU     l   *                           # line 5
     sms at ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
 
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin at ATHENA.MIT.EDU`` (matches line
-1).  He has no permissions at all with his null instance,
-``joeadmin at ATHENA.MIT.EDU`` (matches line 2).  His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin at ATHENA.MIT.EDU`` (matches line 1).  He has no
+permissions at all with his null instance, ``joeadmin at ATHENA.MIT.EDU``
+(matches line 2).  His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
 
 (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
 or change the password of their null instance, but not any other
@@ -139,9 +140,9 @@ permission can only be granted globally, not to specific target
 principals.
 
 (line 6) Finally, the Service Management System principal
-``sms at ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms at ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
 
 SEE ALSO
 --------