wallet acls per glob
Russ Allbery
rra at stanford.edu
Thu Oct 4 17:49:34 EDT 2012
Ross Smith <rjsm at umich.edu> writes:
> We would like to restrict certain acls to only reload certain hosts. I
> have a local patch to allow ldap-group acls. An example of what I'd
> like to setup is have members of the group foo-reloaders only be able to
> autocreate acls for hosts with fqdn matching ^bar*.engin.umich.edu. Is
> there an easy way to do this with wallet as is? or how much work would
> it be to implement something like this?
The intent is for you to be able to do that with the default_owner
callback in the wallet configuration file. Something basically like this:
sub default_owner {
my ($type, $name) = @_;
if ($type eq 'keytab' and $name =~ /^bar.*\.engin\.umich\.edu/) {
# or whatever the syntax for your ldap-group ACL scheme is
return ('foo-reloaders', [ 'ldap-group', 'foo-reloaders' ]);
} else {
return;
}
}
For more information see the DEFAULT OWNERS section of Wallet::Config.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list