[2321] in Kerberos_V5_Development
Re: request comments on new ACL file format
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Tue Mar 25 13:37:12 1997
To: Tom Yu <tlyu@MIT.EDU>
Cc: krbdev@MIT.EDU
In-Reply-To: Your message of "Tue, 25 Mar 1997 03:20:05 EST."
<9703250820.AA27555@tesla-coil.MIT.EDU>
Date: Tue, 25 Mar 1997 13:35:00 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
>What do people think? Are many sites likely to have a set of admin
>requirements that are sufficiently convoluted that not distinguishing
>between target groups and user groups is reasonable?
One convoluted-but-potentially-useful example could be (for sites that
are migrating to Kerberos):
group :hosts = host/*
group :users = *
group :admin = */admin
acl :admin MELACID = :hosts
acl :hosts A :users
(I think I read your grammar correctly, but I hope everyone gets the idea).
You could then have "login" (using the host key) create users in Kerberos
the first time they logged in with their password. I know this is hokey ...
but there was one site that actually _did_ this. I think I can think of
some other uses using "hosts" as both a target and a user.
>Also, what do people think of this new quasi-BNF grammar for the acl
>file format? Are commas really necessary as separators in a target
>list? IMHO the fewer special characters in the file format, the
>better.
Looks pretty good to me.
--Ken
