Skip Menu |
 

History Show all quoted textShow full headers
# Mon Jun 09 16:07:46 2014 ghudson@mit.edu (Greg Hudson) - Ticket created
Subject: kadm5.acl docs wrong imply that list permission can have a target
Download (untitled) / with headers
text/plain 760B
In kadm5.acl, list permission is all or nothing. The only RPCs which use
it, get_princs and get_pols, do not pass a principal argument since their
only parameter is a pattern, not a principal name.

However, kadm5_acl.rst contains two example lines granting list
permissions to specific target principals, and narrativel explains them
as doing so. The examples should be changed and we should explicitly
state that only global list permission can be granted.

Alternatively, we could change the behavior, but that would be tricky
since we shouldn't treat the get_princs pattern as a principal. We would
have to check whether the kadmin client has list privileges for any
target principal, then check each matching principal against the ACL
target.
# Mon Jun 09 16:08:09 2014 ghudson@mit.edu (Greg Hudson) - Subject changed from 'kadm5.acl docs wrong imply that list permission can have a target' to 'kadm5.acl docs wrongly imply that list permission can have a target'
# Fri Jun 13 14:35:06 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Given to kaduk@MIT.EDU (Benjamin Kaduk)
# Mon Jun 16 15:45:17 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Status changed from 'open' to 'review'
# Mon Jun 16 15:45:17 2014 kaduk@MIT.EDU (Benjamin Kaduk) - Correspondence added
From: kaduk@MIT.EDU
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Update the kadm5.acl example

Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.

While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.

https://github.com/krb5/krb5/commit/70b2ba4852913ceb2bdc9a57edd487da8230f813
Author: Ben Kaduk <kaduk@mit.edu>
Commit: 70b2ba4852913ceb2bdc9a57edd487da8230f813
Branch: master
doc/admin/conf_files/kadm5_acl.rst | 34 ++++++++++++++++++----------------
1 files changed, 18 insertions(+), 16 deletions(-)
# Tue Aug 12 18:27:39 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'
# Tue Aug 12 18:27:39 2014 tlyu (Taylor Yu) - Version_Fixed 1.13 added