Skip Menu |

Subject: kadm5.acl docs wrong imply that list permission can have a target
In kadm5.acl, list permission is all or nothing. The only RPCs which use
it, get_princs and get_pols, do not pass a principal argument since their
only parameter is a pattern, not a principal name.

However, kadm5_acl.rst contains two example lines granting list
permissions to specific target principals, and narrativel explains them
as doing so. The examples should be changed and we should explicitly
state that only global list permission can be granted.

Alternatively, we could change the behavior, but that would be tricky
since we shouldn't treat the get_princs pattern as a principal. We would
have to check whether the kadmin client has list privileges for any
target principal, then check each matching principal against the ACL
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Update the kadm5.acl example

Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal

While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
Author: Ben Kaduk <>
Commit: 70b2ba4852913ceb2bdc9a57edd487da8230f813
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 34 ++++++++++++++++++----------------
1 files changed, 18 insertions(+), 16 deletions(-)