diff options
Diffstat (limited to 'doc/html/admin/conf_files/kadm5_acl.html')
| -rw-r--r-- | doc/html/admin/conf_files/kadm5_acl.html | 41 |
1 files changed, 27 insertions, 14 deletions
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html index 640fc7bc1c9c..05eab8bbae62 100644 --- a/doc/html/admin/conf_files/kadm5_acl.html +++ b/doc/html/admin/conf_files/kadm5_acl.html @@ -15,7 +15,7 @@ <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../', - VERSION: '1.15.1', + VERSION: '1.16', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true @@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 </pre></div> </div> -<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with -an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p> -<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his -<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line -1). He has no permissions at all with his null instance, -<tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other -non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have -inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> -(matches line 3).</p> +<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an +<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting +keys.</p> +<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except +extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance, +<tt class="docutils literal"><span class="pre">joeadmin/admin@ATHENA.MIT.EDU</span></tt> (matches line 1). He has no +permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin@ATHENA.MIT.EDU</span></tt> +(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null +instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions +with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p> <p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire or change the password of their null instance, but not any other null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the @@ -222,9 +223,20 @@ in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals.</p> <p>(line 6) Finally, the Service Management System principal -<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours.</p> +<tt class="docutils literal"><span class="pre">sms@ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours.</p> +</div> +<div class="section" id="module-behavior"> +<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2> +<p>The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of +<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file.</p> +<p>To operate without an ACL file, set the <em>acl_file</em> variable in +<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">""</span></tt>.</p> </div> <div class="section" id="see-also"> <h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2> @@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p> <li><a class="reference internal" href="#description">DESCRIPTION</a></li> <li><a class="reference internal" href="#syntax">SYNTAX</a></li> <li><a class="reference internal" href="#example">EXAMPLE</a></li> +<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li> <li><a class="reference internal" href="#see-also">SEE ALSO</a></li> </ul> </li> @@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p> <div class="footer-wrapper"> <div class="footer" > - <div class="right" ><i>Release: 1.15.1</i><br /> + <div class="right" ><i>Release: 1.16</i><br /> © <a href="../../copyright.html">Copyright</a> 1985-2017, MIT. </div> <div class="left"> |