Proposition for new remctl ACL scheme / group support

Remi FERRAND remi.ferrand at cc.in2p3.fr
Sat Apr 5 11:02:52 EDT 2014


Hi everyone,

Sorry for the spam if this list isn't the I should use to discuss about remctl (http://www.eyrie.org/~eagle/software/remctl/).

At IN2P3 Computing Centre, we're starting to use remctl for everything that requires privilege delegation (till now, this software seems perfect for what we want).

Anyway, the more we use it, the more we believe its default ACL bundle ("file, princ, deny, pcre, regex" from the EPEL version) is missing something related to *groups*.

For instance, we'd like to be able to allow "Every member of team A" to execute one command on a particular host.
This way, we could allow "all members of a particular physic experiment" to release their AFS volumes for instance.

We were unable to find a simple way to do this with the current remctl ACL methods, that's why we've submited a first patch (https://github.com/rra/remctl/pull/1).
This patch introduces a new ACL method named "unxgrp" and is still not merged in master.
It was an easy (and fast to write) answer to our problematic.

For now, the default EPEL remctl package comes with "remctl server local only" ACL scheme (ACL that only involves local remctl server resources).
What we're trying to do here is to introduce ACL scheme (PTS or unxgrp) that could use network based providers (and thus allow centralization and factorization of ACLs).


As we were writing this peace of code we thought that at CC-IN2P3 we are using OpenAFS.
AFS brings a PTS DB that could be used as a convenient way to distribute groups.

For instance with the PTS group above:

>>> % pts mem remctl:testgrp -expand
>>> Expanded Members of remctl:testgrp (id: -6556) are:
>>>   user1
>>>   user2

we could be able to use the following ACL in remctl configuration file:

>>> pts_group:remctl:testgrp

to allow user1 and user2 to execute a command.


Before any further development, we'd like to know if someone could be interested in that feature ?
Does someone think that we absolutely shouldn't do that ?
If so we'll talk later of the implementation.

More important for us, we'd like to know what Russ Allbery thinks about that as he is the main developper of remctl.
Thank you in advance for you answer.


Thanks all for your answers and comments.

Cheers

-- 

Remi Ferrand             | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 |     et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/


More information about the Kerberos mailing list