[30006] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.15]: Clarify "all privileges" in kadm5.acl docs
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 17 23:04:17 2017
Date: Mon, 17 Jul 2017 22:59:41 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201707180259.v6I2xfuf032553@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/497c5fd80d3c4b7ef330144e0999715e897bae8b
commit 497c5fd80d3c4b7ef330144e0999715e897bae8b
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Jun 28 18:06:29 2017 -0400
Clarify "all privileges" in kadm5.acl docs
In the kadm5.acl example, be more careful about saying "all
privileges", as the recently added extract privilege is not covered by
"*" or "x".
(cherry picked from commit 72a4b0af1a6cd07eee178cf3ff1df0e0857f5312)
ticket: 8594
version_fixed: 1.15.2
doc/admin/conf_files/kadm5_acl.rst | 27 ++++++++++++++-------------
1 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst
index d23fb8a..138a2d7 100644
--- a/doc/admin/conf_files/kadm5_acl.rst
+++ b/doc/admin/conf_files/kadm5_acl.rst
@@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file::
*/root@ATHENA.MIT.EDU l * # line 5
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
-(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with
-an ``admin`` instance has all administrative privileges.
-
-(lines 1-3) The user ``joeadmin`` has all permissions with his
-``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line
-1). He has no permissions at all with his null instance,
-``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other
-non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have
-inquire permissions with any principal that has the instance ``root``
-(matches line 3).
+(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an
+``admin`` instance has all administrative privileges except extracting
+keys.
+
+(lines 1-3) The user ``joeadmin`` has all permissions except
+extracting keys with his ``admin`` instance,
+``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no
+permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU``
+(matches line 2). His ``root`` and other non-``admin``, non-null
+instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions
+with any principal that has the instance ``root`` (matches line 3).
(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire
or change the password of their null instance, but not any other
@@ -139,9 +140,9 @@ permission can only be granted globally, not to specific target
principals.
(line 6) Finally, the Service Management System principal
-``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.
+``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.
SEE ALSO
--------
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
