aboutsummaryrefslogtreecommitdiffstats
path: root/doc/html/admin/conf_files/kadm5_acl.html
diff options
context:
space:
mode:
Diffstat (limited to 'doc/html/admin/conf_files/kadm5_acl.html')
-rw-r--r--doc/html/admin/conf_files/kadm5_acl.html41
1 files changed, 27 insertions, 14 deletions
diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html
index 640fc7bc1c9c..05eab8bbae62 100644
--- a/doc/html/admin/conf_files/kadm5_acl.html
+++ b/doc/html/admin/conf_files/kadm5_acl.html
@@ -15,7 +15,7 @@
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../',
- VERSION: '1.15.1',
+ VERSION: '1.16',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
@@ -203,15 +203,16 @@ joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3
sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6
</pre></div>
</div>
-<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with
-an <tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges.</p>
-<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions with his
-<tt class="docutils literal"><span class="pre">admin</span></tt> instance, <tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line
-1). He has no permissions at all with his null instance,
-<tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt> (matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other
-non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have
-inquire permissions with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt>
-(matches line 3).</p>
+<p>(line 1) Any principal in the <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> realm with an
+<tt class="docutils literal"><span class="pre">admin</span></tt> instance has all administrative privileges except extracting
+keys.</p>
+<p>(lines 1-3) The user <tt class="docutils literal"><span class="pre">joeadmin</span></tt> has all permissions except
+extracting keys with his <tt class="docutils literal"><span class="pre">admin</span></tt> instance,
+<tt class="docutils literal"><span class="pre">joeadmin/admin&#64;ATHENA.MIT.EDU</span></tt> (matches line 1). He has no
+permissions at all with his null instance, <tt class="docutils literal"><span class="pre">joeadmin&#64;ATHENA.MIT.EDU</span></tt>
+(matches line 2). His <tt class="docutils literal"><span class="pre">root</span></tt> and other non-<tt class="docutils literal"><span class="pre">admin</span></tt>, non-null
+instances (e.g., <tt class="docutils literal"><span class="pre">extra</span></tt> or <tt class="docutils literal"><span class="pre">dbadmin</span></tt>) have inquire permissions
+with any principal that has the instance <tt class="docutils literal"><span class="pre">root</span></tt> (matches line 3).</p>
<p>(line 4) Any <tt class="docutils literal"><span class="pre">root</span></tt> principal in <tt class="docutils literal"><span class="pre">ATHENA.MIT.EDU</span></tt> can inquire
or change the password of their null instance, but not any other
null instance. (Here, <tt class="docutils literal"><span class="pre">*1</span></tt> denotes a back-reference to the
@@ -222,9 +223,20 @@ in the database. This line is separate from line 4, because list
permission can only be granted globally, not to specific target
principals.</p>
<p>(line 6) Finally, the Service Management System principal
-<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions, but any principal that it
-creates or modifies will not be able to get postdateable tickets or
-tickets with a life of longer than 9 hours.</p>
+<tt class="docutils literal"><span class="pre">sms&#64;ATHENA.MIT.EDU</span></tt> has all permissions except extracting keys, but
+any principal that it creates or modifies will not be able to get
+postdateable tickets or tickets with a life of longer than 9 hours.</p>
+</div>
+<div class="section" id="module-behavior">
+<h2>MODULE BEHAVIOR<a class="headerlink" href="#module-behavior" title="Permalink to this headline">¶</a></h2>
+<p>The ACL file can coexist with other authorization modules in release
+1.16 and later, as configured in the <a class="reference internal" href="krb5_conf.html#kadm5-auth"><em>kadm5_auth interface</em></a> section of
+<a class="reference internal" href="krb5_conf.html#krb5-conf-5"><em>krb5.conf</em></a>. The ACL file will positively authorize
+operations according to the rules above, but will never
+authoritatively deny an operation, so other modules can authorize
+operations in addition to those authorized by the ACL file.</p>
+<p>To operate without an ACL file, set the <em>acl_file</em> variable in
+<a class="reference internal" href="kdc_conf.html#kdc-conf-5"><em>kdc.conf</em></a> to the empty string with <tt class="docutils literal"><span class="pre">acl_file</span> <span class="pre">=</span> <span class="pre">&quot;&quot;</span></tt>.</p>
</div>
<div class="section" id="see-also">
<h2>SEE ALSO<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h2>
@@ -244,6 +256,7 @@ tickets with a life of longer than 9 hours.</p>
<li><a class="reference internal" href="#description">DESCRIPTION</a></li>
<li><a class="reference internal" href="#syntax">SYNTAX</a></li>
<li><a class="reference internal" href="#example">EXAMPLE</a></li>
+<li><a class="reference internal" href="#module-behavior">MODULE BEHAVIOR</a></li>
<li><a class="reference internal" href="#see-also">SEE ALSO</a></li>
</ul>
</li>
@@ -309,7 +322,7 @@ tickets with a life of longer than 9 hours.</p>
<div class="footer-wrapper">
<div class="footer" >
- <div class="right" ><i>Release: 1.15.1</i><br />
+ <div class="right" ><i>Release: 1.16</i><br />
&copy; <a href="../../copyright.html">Copyright</a> 1985-2017, MIT.
</div>
<div class="left">