[2316] in Kerberos_V5_Development
request comments on new ACL file format
daemon@ATHENA.MIT.EDU (Tom Yu)
Mon Mar 24 17:09:25 1997
Date: Mon, 24 Mar 1997 17:03:07 -0500
To: krbdev@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
This new format should allow for useful things such as the concept of
groups. It also includes two different types of globs, so that it is
possible to distinguish between matching one principal component from
matching zero or more principal components. Please comment upon it,
in particular whether or not groups should be allowed to be recursive.
---Tom
FORMAT:
The ACL file will be a printable-ASCII file, consisting of
lines containing three whitespace-separated fields. Each line
consists of one user name, a set of flags, and a
comma-separated list of target names. Lines consisting only
of whitespace, as well as blank lines, will be ignored. Lines
may be continued with a backslash at the end of a line; any
leading whitespace on the following line will be stripped.
Principal names must follow the format used by
krb5_parse_name(), with additional special characters as
listed below.
SPECIAL CHARACTERS:
The "*" character matches zero or more characters. It does
not extend beyond one principal component, i.e. "foo/*" will
match "foo/bar" but not "foo/bar/baz".
The "%" character matches zero or more principal components,
i.e. "foo/%" will match "foo", "foo/bar", and "foo/bar/baz".
For this special case, the "/" character is not a principal
component separator, as used in krb5_parse_name(), but instead
serves to mark the end of the first component. A principal
name consisting of only the "%" character matches all
principals.
The "<" character precedes the name of a user group.
The ">" character precedes the name of a target group.
The "!" character indicates negation when it precedes a target
name. It indicates that the target name that it precedes is a
disallowed target when used in a privilege specification. The
"!" character may appear in the declaration of a target group.
The "," character separates principals in a target list, and
is optionally followed by whitespace.
The "\" character is used to quote any special characters,
including itself.
SPECIAL GROUPS:
The user group "<default" is a wildcard specifying all
principals. This allows the specification of a default set of
privileges.
The target group ">self" indicates the user principal
authenticating to the database. This allows the specification
of operations that principals may perform on themselves.
SEMANTICS:
There are two types of entries, a group declaration and a
privilege declaration.
A group declaration has only the ":" character in its flags
field. Its list of target names specifies the members of the
list, and the "user" name of the declaration must begin with
either a "<" or a ">" character, indicating whether it is a
user or target group, respectively.
A privilege declaration has one of the letters "ICLADME" in
its flags field. The name field may contain a user group
name, but may not contain more than one name. The targets
field contains the list of principals or groups that may be
operated upon. The special target group ">self" indicates the
current principal. The special user group "<default" is a
wildcard specifying all principals.
If a user group or principal name appears in more than one
privilege declaration, the privileges accumulate.
Negative privileges have precedence over positive privileges,
and more specific privileges match before less specific ones.
It is not yet clear whether group declarations should be
permitted to be recurseive.
FLAG DEFINITIONS:
I = get Info on principal
C = Change key, optionally immediately extract key
L = List principals
A = Add new principal
D = Delete principal
M = Modify principal
E = Extract current key
* = all permissions
: = group declaration
EXAMPLE ACL FILE:
#user flags targets
############### ####### ######################################
# Creates a target group "ophosts", which is all host principals with
# hostnames ending in ".mit.edu", except for host/kerberos.mit.edu
# (for obvious reasons).
>ophosts : host/*.mit.edu, !host/kerberos.mit.edu
# Creates a user group "opstaff".
<opstaff : dkk/root, jweiss/root #, ...etc.
# Allows the user group "opstaff" to change the keys of and create
# principals in the "ophosts" group, in addition to doing lookups on
# them.
<opstaff CIA >ophosts
# Declare a user group "kadms", who are all principals with "admin" in
# their second component.
<kadms : */admin
# Allow the user group "kadms" all privileges.
<kadms * %
# The user group "accounts" may operate on principals with one
# component.
<accounts : */acctadm
<accounts CIADM %, !*/*/%
# Disallow "testuser" from changing its own password.
testuser C !testuser
# By default, allow users to change their own passwords and get info
# on themselves.
<default IC >self
