Proposition for new remctl ACL scheme / group support

Jason Edgecombe jason at rampaginggeek.com
Sat Apr 5 23:49:55 EDT 2014 

On 04/05/2014 11:02 AM, Remi FERRAND wrote:
> Hi everyone,
>
> Sorry for the spam if this list isn't the I should use to discuss about remctl (http://www.eyrie.org/~eagle/software/remctl/).
>
> At IN2P3 Computing Centre, we're starting to use remctl for everything that requires privilege delegation (till now, this software seems perfect for what we want).
>
> Anyway, the more we use it, the more we believe its default ACL bundle ("file, princ, deny, pcre, regex" from the EPEL version) is missing something related to *groups*.
>
> For instance, we'd like to be able to allow "Every member of team A" to execute one command on a particular host.
> This way, we could allow "all members of a particular physic experiment" to release their AFS volumes for instance.
>
> We were unable to find a simple way to do this with the current remctl ACL methods, that's why we've submited a first patch (https://github.com/rra/remctl/pull/1).
> This patch introduces a new ACL method named "unxgrp" and is still not merged in master.
> It was an easy (and fast to write) answer to our problematic.
>
> For now, the default EPEL remctl package comes with "remctl server local only" ACL scheme (ACL that only involves local remctl server resources).
> What we're trying to do here is to introduce ACL scheme (PTS or unxgrp) that could use network based providers (and thus allow centralization and factorization of ACLs).
>
>
> As we were writing this peace of code we thought that at CC-IN2P3 we are using OpenAFS.
> AFS brings a PTS DB that could be used as a convenient way to distribute groups.
>
> For instance with the PTS group above:
>
>>>> % pts mem remctl:testgrp -expand
>>>> Expanded Members of remctl:testgrp (id: -6556) are:
>>>>    user1
>>>>    user2
> we could be able to use the following ACL in remctl configuration file:
>
>>>> pts_group:remctl:testgrp
> to allow user1 and user2 to execute a command.
>
>
> Before any further development, we'd like to know if someone could be interested in that feature ?
> Does someone think that we absolutely shouldn't do that ?
> If so we'll talk later of the implementation.
>
> More important for us, we'd like to know what Russ Allbery thinks about that as he is the main developper of remctl.
> Thank you in advance for you answer.
>
>
> Thanks all for your answers and comments.
>
> Cheers
>

At our site, we made similar functionality by writing a script to 
generate a part of our remctl config based on the members of a PTS 
group. I look forward to being able to use this and removing one more 
script.

Jason

More information about the Kerberos mailing list