kadmin ignoring target column ?

Kenneth MacDonald Kenneth.MacDonald at ed.ac.uk
Mon Jan 13 12:23:23 EST 2020


Laura,

If you can change the name of the principal Salt is using, then your
authorisation rules would not require one to deny it any other
permissions.  The "admin" word isn't required to grant admin type
permissions.

For example if you changed it to "saltstack/salt.admin" you'd only
require,

saltstack/salt.admin admcil */nfs

Cheers,

Kenny.

On Mon, 2020-01-13 at 16:54 +0000, Laura Smith wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, January 13, 2020 4:19 PM, Greg Hudson <ghudson at mit.edu>
> wrote:
> 
> > On 1/13/20 3:44 AM, Laura Smith wrote:
> > 
> > > Am aware of the list ordering requirement, and to that extent the
> > > ACL entry in question was quite deliberately placed at the top.
> > 
> > kadmind will continue on if the operation's target doesn't match
> > the
> > entry's target. So if you have a later entry for, say, "/admin ",
> > then the line "saltstack/admin ADMCIL nfs/" would serve to deny
> > access
> > to nfs/ principals (because of the uppercase permission bits),
> > butwould have no effect on other target principals, or on
> > operations with
> > no target like list_principals.
> > 
> > The documentation could probably be clarified here; it talks about
> > "the
> > first matching entry", but doesn't say what has to match.
> 
> Aah, so are we saying I should try something like :
> saltstack/admin admcil nfs/*
> saltstack/admin ADMCIL *
> 
> Bescially my end goal is to allow saltstack/admin to do what it likes
> (within reason) for nfs/* but keep it well away from anything more
> "important" (such as */admin).
> 
> 
> > 
> > > admcil nfs/@KRBTEST.COM, are you saying I should not be putting
> > > the wildcard asterisk after nfs/ ?
> > 
> > The wildcard asterix was there in the mail I sent out (I checked my
> > outgoing mail), but was apparently mangled by a piece of email
> > software.
> 
> Yes, you're right. Have read your original and indeed asterisk is
> there.
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.



More information about the Kerberos mailing list