[38040] in Kerberos
Re: more complex kadm5.acl
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Jul 23 22:41:21 2017
To: =?UTF-8?Q?Michael_Str=c3=b6der?= <michael@stroeder.com>, kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <0c60c9dc-8bbc-5231-7543-6722e8968e70@mit.edu>
Date: Sun, 23 Jul 2017 22:40:47 -0400
MIME-Version: 1.0
In-Reply-To: <3b374dfc-b28e-eff4-9e4a-9966af0e1566@stroeder.com>
Content-Type: text/plain; charset="windows-1252"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 07/22/2017 12:55 PM, Michael Ströder wrote:
> Are there more complex kadm5.acl examples out there leveraging more complex naming
> schemes for principal instances and realms? Or even more detailed presentations/docs?
You could look at the ACL file written by the automated test script:
https://github.com/krb5/krb5/blob/master/src/tests/t_kadmin_acl.py#L48
The source code for parsing the ACL file also isn't large. We recently
refactored it without changing its behavior much, so you can look at the
old or new versions:
https://github.com/krb5/krb5/blob/krb5-1.15/src/lib/kadm5/srv/server_acl.c
https://github.com/krb5/krb5/blob/master/src/kadmin/server/auth_acl.c
We are also working on a pluggable interface for kadmin authorization,
targeted for 1.16:
https://k5wiki.kerberos.org/wiki/Projects/kadmin_access_interface
https://github.com/krb5/krb5/pull/675
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
