kadmin ignoring target column ?
Laura Smith
n5d9xq3ti233xiyif2vp at protonmail.ch
Mon Jan 13 14:12:17 EST 2020
Kenny,
Sounds like a cunning plan ! Will go experiment.
Thanks
Laura
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 5:23 PM, Kenneth MacDonald <Kenneth.MacDonald at ed.ac.uk> wrote:
> Laura,
>
> If you can change the name of the principal Salt is using, then your
> authorisation rules would not require one to deny it any other
> permissions. The "admin" word isn't required to grant admin type
> permissions.
>
> For example if you changed it to "saltstack/salt.admin" you'd only
> require,
>
> saltstack/salt.admin admcil */nfs
>
> Cheers,
>
> Kenny.
>
> On Mon, 2020-01-13 at 16:54 +0000, Laura Smith wrote:
>
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Monday, January 13, 2020 4:19 PM, Greg Hudson ghudson at mit.edu
> > wrote:
> >
> > > On 1/13/20 3:44 AM, Laura Smith wrote:
> > >
> > > > Am aware of the list ordering requirement, and to that extent the
> > > > ACL entry in question was quite deliberately placed at the top.
> > >
> > > kadmind will continue on if the operation's target doesn't match
> > > the
> > > entry's target. So if you have a later entry for, say, "/admin ",
> > > then the line "saltstack/admin ADMCIL nfs/" would serve to deny
> > > access
> > > to nfs/ principals (because of the uppercase permission bits),
> > > butwould have no effect on other target principals, or on
> > > operations with
> > > no target like list_principals.
> > > The documentation could probably be clarified here; it talks about
> > > "the
> > > first matching entry", but doesn't say what has to match.
> >
> > Aah, so are we saying I should try something like :
> > saltstack/admin admcil nfs/*
> > saltstack/admin ADMCIL *
> > Bescially my end goal is to allow saltstack/admin to do what it likes
> > (within reason) for nfs/* but keep it well away from anything more
> > "important" (such as */admin).
> >
> > > > admcil nfs/@KRBTEST.COM, are you saying I should not be putting
> > > > the wildcard asterisk after nfs/ ?
> > >
> > > The wildcard asterix was there in the mail I sent out (I checked my
> > > outgoing mail), but was apparently mangled by a piece of email
> > > software.
> >
> > Yes, you're right. Have read your original and indeed asterisk is
> > there.
> >
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
More information about the Kerberos
mailing list