diff options
author | Greg Hudson <ghudson@mit.edu> | 2017-06-28 18:06:29 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2017-07-17 20:00:34 -0400 |
commit | 497c5fd80d3c4b7ef330144e0999715e897bae8b (patch) | |
tree | 1c54b87506e48b7b26508a31d26e634850fc3e25 | |
parent | e401a4bdbdcbec192f33ab288e99b5068f907081 (diff) | |
download | krb5-497c5fd80d3c4b7ef330144e0999715e897bae8b.zip krb5-497c5fd80d3c4b7ef330144e0999715e897bae8b.tar.gz krb5-497c5fd80d3c4b7ef330144e0999715e897bae8b.tar.bz2 |
Clarify "all privileges" in kadm5.acl docs
In the kadm5.acl example, be more careful about saying "all
privileges", as the recently added extract privilege is not covered by
"*" or "x".
(cherry picked from commit 72a4b0af1a6cd07eee178cf3ff1df0e0857f5312)
ticket: 8594
version_fixed: 1.15.2
-rw-r--r-- | doc/admin/conf_files/kadm5_acl.rst | 27 |
1 files changed, 14 insertions, 13 deletions
diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst index d23fb8a..138a2d7 100644 --- a/doc/admin/conf_files/kadm5_acl.rst +++ b/doc/admin/conf_files/kadm5_acl.rst @@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file:: */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 -(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with -an ``admin`` instance has all administrative privileges. - -(lines 1-3) The user ``joeadmin`` has all permissions with his -``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line -1). He has no permissions at all with his null instance, -``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other -non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have -inquire permissions with any principal that has the instance ``root`` -(matches line 3). +(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an +``admin`` instance has all administrative privileges except extracting +keys. + +(lines 1-3) The user ``joeadmin`` has all permissions except +extracting keys with his ``admin`` instance, +``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no +permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` +(matches line 2). His ``root`` and other non-``admin``, non-null +instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions +with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other @@ -139,9 +140,9 @@ permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal -``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours. +``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours. SEE ALSO -------- |