diff options
author | Zhanna Tsitkov <tsitkova@mit.edu> | 2012-08-03 10:45:00 -0400 |
---|---|---|
committer | Zhanna Tsitkov <tsitkova@mit.edu> | 2012-08-03 11:00:41 -0400 |
commit | 3486a34645509d426a4c10c3f17a5e89e7de5cfd (patch) | |
tree | 4909a5ff1cfa4b595de610dd1b90566871b5a9dd /doc/rst_source | |
parent | 66d8bb6d684f203d008409752c90355964443e3e (diff) | |
download | krb5-3486a34645509d426a4c10c3f17a5e89e7de5cfd.tar.gz krb5-3486a34645509d426a4c10c3f17a5e89e7de5cfd.tar.xz krb5-3486a34645509d426a4c10c3f17a5e89e7de5cfd.zip |
New documention for kadm5.acl
Diffstat (limited to 'doc/rst_source')
-rw-r--r-- | doc/rst_source/krb_admins/conf_files/index.rst | 7 | ||||
-rw-r--r-- | doc/rst_source/krb_admins/conf_files/kadm5_acl.rst | 135 |
2 files changed, 139 insertions, 3 deletions
diff --git a/doc/rst_source/krb_admins/conf_files/index.rst b/doc/rst_source/krb_admins/conf_files/index.rst index d17564fb59..078a173049 100644 --- a/doc/rst_source/krb_admins/conf_files/index.rst +++ b/doc/rst_source/krb_admins/conf_files/index.rst @@ -2,7 +2,8 @@ Configuration Files =================== .. toctree:: - :maxdepth: 2 + :maxdepth: 1 - krb5_conf.rst - kdc_conf.rst + krb5_conf + kdc_conf + kadm5_acl diff --git a/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst new file mode 100644 index 0000000000..d34971c70b --- /dev/null +++ b/doc/rst_source/krb_admins/conf_files/kadm5_acl.rst @@ -0,0 +1,135 @@ +.. _kadm5.acl(5): + +kadm5.acl +========= + +DESCRIPTION +----------- + +The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List +(ACL) file to manage access rights to the Kerberos database. +For operations that affect principals, the ACL file also controls +which principals can operate on which other principals. + +The default location of the Kerberos ACL file is +|kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* +variable in :ref:`kdc.conf(5)`. + +SYNTAX +------ + +Empty lines and lines starting with the sharp sign (``#``) are +ignored. Lines containing ACL entries have the format: + + :: + + principal permissions [target_principal] [restrictions] + +Line order in the ACL file is important. The first matching entry +will control access for an actor principal on a target principal. + +*principal* + (Partially or fully qualified Kerberos principal name.) Specifies + the principal whose permissions are to be set. + + Each component of the name may be wildcarded using the ``*`` + character. + +*permissions* + Specifies what operations may or may not be performed by a + *principal* matching a particular entry. This is a string of one or + more of the following list of characters or their upper-case + counterparts. If the character is *upper-case*, then the operation + is disallowed. If the character is *lower-case*, then the operation + is permitted. + + == ====================================================== + a [Dis]allows the addition of principals or policies + c [Dis]allows the changing of passwords for principals + d [Dis]allows the deletion of principals or policies + i [Dis]allows inquiries about principals or policies + l [Dis]allows the listing of principals or policies + m [Dis]allows the modification of principals or policies + p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) + s [Dis]allows the explicit setting of the key for a principal + x Short for admcil. All privileges + \* Same as x. + == ====================================================== + + +*target_principal* + (Optional. Partially or fully qualified Kerberos principal name.) + Specifies the principal on which *permissions* may be applied. + Each component of the name may be wildcarded using the ``*`` + character. + + *target_principal* can also include back-references to *principal*, + in which ``*number`` matches the component number in *principal*. + +*restrictions* + (Optional) A string of flags. Allowed restrictions are: + + {+\|-}\ *flagname* + flag is forced to indicated value. The permissible flags + are the same as the + and - flags for the kadmin + :ref:`add_principal` and :ref:`modify_principal` commands. + + *-clearpolicy* + policy is forced to clear. + + *-policy pol* + policy is forced to be *pol*. + + -{*expire, pwexpire, maxlife, maxrenewlife*} *time* + (:ref:`getdate` string) associated value will be forced to + MIN(*time*, requested value). + + The above flags act as restrictions on any add or modify operation + which is allowed due to that ACL line. + +.. warning:: + If the kadmind ACL file is modified, the kadmind daemon needs to be + restarted for changes to take effect. + +EXAMPLE +------- + +Here is an example of a kadm5.acl file. + + :: + + */admin@ATHENA.MIT.EDU * # line 1 + joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 + joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3 + *@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU # line 4 + */*@ATHENA.MIT.EDU i # line 5 + */admin@EXAMPLE.COM * -maxlife 9h -postdateable # line 6 + +(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with +an ``admin`` instance has all administrative privileges. + +(lines 2-3) The user ``joeadmin`` has all permissions with his +``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line +2). He has no permissions at all with his null instance, +``joeadmin@ATHENA.MIT.EDU`` (matches line 3). His root instance has +inquire and list permissions with any other principal that has the +instance root. + +(line 4) Any principal in ``ATHENA.MIT.EDU`` can inquire, list, +or change the password of their ``admin`` instance, but not any other +admin instance. (Here, "\*1" denotes a back-reference to the first +component of the actor principal.) + +(line 5) Any principal in the realm ``ATHENA.MIT.EDU`` (except for +``joeadmin@ATHENA.MIT.EDU``, as mentioned above) has inquire +privileges. + +(line 6) Finally, any principal with an ``admin`` instance in ``EXAMPLE.COM`` +has all permissions, but any principal that they create or modify will +not be able to get postdateable tickets or tickets with a life of +longer than 9 hours. + +SEE ALSO +-------- + +:ref:`kdc.conf(5)`, :ref:`kadmind(8)` |