]>
Commit | Line | Data |
---|---|---|
8ca02f3c | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Managing Operation Policies</TITLE> | |
178cb736 | 5 | <LINK REL="STYLESHEET" TYPE="text/css" HREF="../cups-printable.css"> |
8ca02f3c | 6 | </HEAD> |
7 | <BODY> | |
8 | ||
178cb736 MS |
9 | <H1 CLASS="title">Managing Operation Policies</H1> |
10 | ||
8ca02f3c | 11 | <P>Operation policies are the rules used for each IPP operation |
12 | in CUPS. These rules include things like "user must provide a | |
13 | password", "user must be in the system group", "allow only from | |
14 | the local system", and so forth. Until CUPS 1.2, these rules were | |
15 | largely hardcoded and could only be customized at a very basic | |
16 | level.</P> | |
17 | ||
18 | <P>CUPS 1.2 adds a new fine-grained policy layer which allows you | |
19 | to completely redefine the rules for each operation and/or | |
20 | printer. Each policy is named and defines access control rules | |
21 | for each IPP operation. This document describes how to manage | |
22 | policies and their rules.</P> | |
23 | ||
24 | <H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2> | |
25 | ||
26 | <P>Operation policies are used for all IPP requests sent to the | |
27 | scheduler and are evaluated <em>after</em> the <A | |
28 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based | |
29 | access control rules. This means that operation policies can only | |
30 | add additional security restrictions to a request, never relax | |
31 | them. Use <TT>Location</TT> based access control rules for | |
32 | server-wide limits and operation policies for limits on | |
33 | individual printers, tasks, or services.</P> | |
34 | ||
35 | <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A | |
36 | HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. | |
37 | Each policy has an alphanumeric name that is used to select it. | |
38 | Inside the policy section are one or more <A | |
39 | HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> | |
40 | subsections which list the operations that are affected by the | |
41 | rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the | |
42 | default operation policy, appropriately called "default", that is | |
43 | shipped with CUPS.</P> | |
44 | ||
45 | <P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> | |
46 | file is to use the web interface. Click on the | |
47 | <VAR>Administration</VAR> tab and then the <VAR>Edit | |
48 | Configuration File</VAR> button to edit the current | |
49 | <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> | |
50 | button to save the changes and restart the scheduler. If you edit | |
51 | the <VAR>cupsd.conf</VAR> file from the console, make sure to <A | |
52 | HREF="ref-cupsd-conf.html">restart the cupsd process</A> before | |
53 | trying to use the new policy.</P> | |
54 | ||
5a738aea | 55 | <PRE CLASS="example"> |
8ca02f3c | 56 | <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> |
57 | ||
58 | 1 <Policy default> | |
59 | 2 # Job-related operations must be done by the owner or an | |
355e94dc | 60 | administrator... |
8ca02f3c | 61 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
62 | Restart-Job Purge-Jobs Set-Job-Attributes | |
63 | Create-Job-Subscription Renew-Subscription | |
64 | Cancel-Subscription Get-Notifications Reprocess-Job | |
65 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
66 | CUPS-Move-Job> | |
67 | 4 Require user @OWNER @SYSTEM | |
68 | 5 Order deny,allow | |
69 | 6 </Limit> | |
70 | 7 | |
355e94dc | 71 | 8 # All administration operations require an administrator |
8ca02f3c | 72 | to authenticate... |
355e94dc MS |
73 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
74 | CUPS-Delete-Class CUPS-Set-Default> | |
75 | 10 AuthType Default | |
8ca02f3c | 76 | 11 Require user @SYSTEM |
77 | 12 Order deny,allow | |
78 | 13 </Limit> | |
79 | 14 | |
355e94dc MS |
80 | 15 # All printer operations require a printer operator |
81 | to authenticate... | |
82 | 16 <Limit Pause-Printer Resume-Printer | |
83 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
84 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
85 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
86 | Restart-Printer Shutdown-Printer Startup-Printer | |
87 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
88 | CUPS-Reject-Jobs> | |
89 | 17 AuthType Default | |
90 | 18 Require user <em>varies by OS</em> | |
91 | 19 Order deny,allow | |
92 | 20 </Limit> | |
93 | 21 | |
94 | 22 # Only the owner or an administrator can cancel or | |
8ca02f3c | 95 | authenticate a job... |
355e94dc MS |
96 | 23 <Limit Cancel-Job CUPS-Authenticate-Job> |
97 | 24 Require user @OWNER @SYSTEM | |
98 | 25 Order deny,allow | |
99 | 26 </Limit> | |
100 | 27 | |
101 | 28 <Limit All> | |
102 | 29 Order deny,allow | |
103 | 30 </Limit> | |
104 | 31 </Policy> | |
8ca02f3c | 105 | </PRE> |
106 | ||
107 | <H3>The Default CUPS Operation Policy</H3> | |
108 | ||
109 | <P>The policy definition starts with an opening <TT>Policy</TT> | |
110 | directive:</P> | |
111 | ||
5a738aea | 112 | <PRE CLASS="example"> |
8ca02f3c | 113 | 1 <Policy default> |
114 | </PRE> | |
115 | ||
116 | <P>The first <TT>Limit</TT> subsection defines the rules for IPP | |
117 | job operations:</P> | |
118 | ||
5a738aea | 119 | <PRE CLASS="example"> |
8ca02f3c | 120 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
121 | Restart-Job Purge-Jobs Set-Job-Attributes | |
122 | Create-Job-Subscription Renew-Subscription | |
123 | Cancel-Subscription Get-Notifications Reprocess-Job | |
124 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
125 | CUPS-Move-Job> | |
126 | 4 Require user @OWNER @SYSTEM | |
127 | 5 Order deny,allow | |
128 | 6 </Limit> | |
129 | </PRE> | |
130 | ||
131 | <P>The operation names are listed on a single line | |
132 | with spaces separating them. Each name corresponds to the IPP | |
133 | operation described in any of the IETF or PWG standards documents | |
134 | for the Internet Printing Protocol. <A HREF="#TABLE01">Table | |
135 | 1</A> lists all of the operations that have been defined along | |
136 | with their usage in CUPS.</P> | |
137 | ||
138 | <P>The access control rules are listed after the <TT>Limit</TT> | |
139 | line and are the same as those used for <A | |
140 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> | |
141 | sections. In this case, we require the owner of the job | |
142 | ("@OWNER") or a member of the <A | |
143 | HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A> | |
144 | ("@SYSTEM") to do the operation. Because we do not include an <A | |
145 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A> | |
146 | directive here, the user information can come from the IPP | |
147 | request itself or the authenticated username from the HTTP | |
148 | request. The administrative operations starting on line 9, | |
149 | however, <em>do</em> use the <TT>AuthType</TT> directive, and so | |
150 | administrative operations need to be authenticated:</P> | |
151 | ||
5a738aea | 152 | <PRE CLASS="example"> |
355e94dc MS |
153 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
154 | CUPS-Delete-Class CUPS-Set-Default> | |
155 | 10 AuthType Default | |
156 | 11 Require user @SYSTEM | |
157 | 12 Order deny,allow | |
158 | 13 </Limit> | |
159 | 14 | |
160 | 15 # All printer operations require a printer operator | |
161 | to authenticate... | |
162 | 16 <Limit Pause-Printer Resume-Printer | |
8ca02f3c | 163 | Set-Printer-Attributes Enable-Printer Disable-Printer |
164 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
165 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
166 | Restart-Printer Shutdown-Printer Startup-Printer | |
355e94dc MS |
167 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
168 | CUPS-Reject-Jobs> | |
169 | 17 AuthType Default | |
170 | 18 Require user <em>varies by OS</em> | |
171 | 19 Order deny,allow | |
172 | 20 </Limit> | |
8ca02f3c | 173 | </PRE> |
174 | ||
175 | <P>The "Order deny,allow" line at the end of both <TT>Limit</TT> | |
176 | subsections allows the request to come from any system allowed by | |
177 | the <TT>Location</TT> sections elsewhere in the | |
178 | <VAR>cupsd.conf</VAR> file.</P> | |
179 | ||
180 | <P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT> | |
181 | operations are listed separately to allow the web interface to | |
182 | more easily edit their policy without disturbing the rest. Like | |
183 | the rest of the job operations, we want the job's owner | |
184 | ("@OWNER") or an administrator ("@SYSTEM") to do it:</P> | |
185 | ||
5a738aea | 186 | <PRE CLASS="example"> |
8ca02f3c | 187 | 16 <Limit Cancel-Job CUPS-Authenticate-Job> |
188 | 17 Require user @OWNER @SYSTEM | |
189 | 18 Order deny,allow | |
190 | 19 </Limit> | |
191 | </PRE> | |
192 | ||
193 | <P>The last <TT>Limit</TT> subsection in any policy uses the | |
194 | special operation name <TT>All</TT>. CUPS will use the rules in | |
195 | this subsection for any operation you don't list specifically in | |
196 | the policy. In this case, all other operations are allowed | |
197 | without a username or authentication:</P> | |
198 | ||
5a738aea | 199 | <PRE CLASS="example"> |
8ca02f3c | 200 | 21 <Limit All> |
201 | 22 Order deny,allow | |
202 | 23 </Limit> | |
203 | 24 </Policy> | |
204 | </PRE> | |
205 | ||
206 | ||
207 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names"> | |
208 | <CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION> | |
209 | <THEAD> | |
210 | <TR> | |
211 | <TH>Name</TH> | |
212 | <TH>Used by CUPS?</TH> | |
213 | <TH>Description</TH> | |
214 | </TR> | |
215 | </THEAD> | |
216 | <TBODY> | |
217 | <TR> | |
218 | <TD NOWRAP><TT>Print-Job</TT></TD> | |
219 | <TD>Yes</TD> | |
220 | <TD>Creates a print job with a single file.</TD> | |
221 | </TR> | |
222 | <TR> | |
223 | <TD NOWRAP><TT>Print-URI</TT></TD> | |
224 | <TD>No</TD> | |
225 | <TD>Create a print job with a single URI.</TD> | |
226 | </TR> | |
227 | <TR> | |
228 | <TD NOWRAP><TT>Validate-Job</TT></TD> | |
229 | <TD>Yes</TD> | |
230 | <TD>Validates a print request before printing.</TD> | |
231 | </TR> | |
232 | <TR> | |
233 | <TD NOWRAP><TT>Create-Job</TT></TD> | |
234 | <TD>Yes</TD> | |
235 | <TD>Creates a print job with no files or URIs.</TD> | |
236 | </TR> | |
237 | <TR> | |
238 | <TD NOWRAP><TT>Send-Document</TT></TD> | |
239 | <TD>Yes</TD> | |
240 | <TD>Adds a file to a print job.</TD> | |
241 | </TR> | |
242 | <TR> | |
243 | <TD NOWRAP><TT>Send-URI</TT></TD> | |
244 | <TD>No</TD> | |
245 | <TD>Adds a URI to a print job.</TD> | |
246 | </TR> | |
247 | <TR> | |
248 | <TD NOWRAP><TT>Cancel-Job</TT></TD> | |
249 | <TD>Yes</TD> | |
250 | <TD>Cancels a print job.</TD> | |
251 | </TR> | |
252 | <TR> | |
253 | <TD NOWRAP><TT>Get-Job-Attributes</TT></TD> | |
254 | <TD>Yes</TD> | |
255 | <TD>Gets information and options associated with a job.</TD> | |
256 | </TR> | |
257 | <TR> | |
258 | <TD NOWRAP><TT>Get-Jobs</TT></TD> | |
259 | <TD>Yes</TD> | |
260 | <TD>Gets a list of jobs.</TD> | |
261 | </TR> | |
262 | <TR> | |
263 | <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD> | |
264 | <TD>Yes</TD> | |
265 | <TD>Gets information and options associated with a printer or class.</TD> | |
266 | </TR> | |
267 | <TR> | |
268 | <TD NOWRAP><TT>Hold-Job</TT></TD> | |
269 | <TD>Yes</TD> | |
270 | <TD>Holds a print job for printing.</TD> | |
271 | </TR> | |
272 | <TR> | |
273 | <TD NOWRAP><TT>Release-Job</TT></TD> | |
274 | <TD>Yes</TD> | |
275 | <TD>Releases a print job for printing.</TD> | |
276 | </TR> | |
277 | <TR> | |
278 | <TD NOWRAP><TT>Restart-Job</TT></TD> | |
279 | <TD>Yes</TD> | |
280 | <TD>Reprints a print job.</TD> | |
281 | </TR> | |
282 | <TR> | |
283 | <TD NOWRAP><TT>Pause-Printer</TT></TD> | |
284 | <TD>Yes</TD> | |
285 | <TD>Stops a printer or class.</TD> | |
286 | </TR> | |
287 | <TR> | |
288 | <TD NOWRAP><TT>Resume-Printer</TT></TD> | |
289 | <TD>Yes</TD> | |
290 | <TD>Starts a printer or class.</TD> | |
291 | </TR> | |
292 | <TR> | |
293 | <TD NOWRAP><TT>Purge-Jobs</TT></TD> | |
294 | <TD>Yes</TD> | |
295 | <TD>Cancels all jobs on the server or a printer or class | |
296 | and removes the job history information.</TD> | |
297 | </TR> | |
298 | <TR> | |
299 | <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD> | |
300 | <TD>No</TD> | |
301 | <TD>Sets printer or class information; CUPS uses | |
302 | CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class | |
303 | instead.</TD> | |
304 | </TR> | |
305 | <TR> | |
306 | <TD NOWRAP><TT>Set-Job-Attributes</TT></TD> | |
307 | <TD>Yes</TD> | |
308 | <TD>Changes job options.</TD> | |
309 | </TR> | |
310 | <TR> | |
311 | <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD> | |
312 | <TD>No</TD> | |
313 | <TD>Gets -supported attributes for a printer based on job | |
314 | options.</TD> | |
315 | </TR> | |
316 | <TR> | |
317 | <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD> | |
318 | <TD>Yes</TD> | |
319 | <TD>Creates an event subscription for a printer or the server.</TD> | |
320 | </TR> | |
321 | <TR> | |
322 | <TD NOWRAP><TT>Create-Job-Subscription</TT></TD> | |
323 | <TD>Yes</TD> | |
324 | <TD>Creates an event subscription for a job.</TD> | |
325 | </TR> | |
326 | <TR> | |
327 | <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD> | |
328 | <TD>Yes</TD> | |
329 | <TD>Gets information for an event subscription.</TD> | |
330 | </TR> | |
331 | <TR> | |
332 | <TD NOWRAP><TT>Get-Subscriptions</TT></TD> | |
333 | <TD>Yes</TD> | |
334 | <TD>Gets a list of event subscriptions.</TD> | |
335 | </TR> | |
336 | <TR> | |
337 | <TD NOWRAP><TT>Renew-Subscription</TT></TD> | |
338 | <TD>Yes</TD> | |
339 | <TD>Renews an event subscription that is about to expire.</TD> | |
340 | </TR> | |
341 | <TR> | |
342 | <TD NOWRAP><TT>Cancel-Subscription</TT></TD> | |
343 | <TD>Yes</TD> | |
344 | <TD>Cancels an event subscription.</TD> | |
345 | </TR> | |
346 | <TR> | |
347 | <TD NOWRAP><TT>Get-Notifications</TT></TD> | |
348 | <TD>Yes</TD> | |
349 | <TD>Gets (pending) events for an event subscription.</TD> | |
350 | </TR> | |
351 | <TR> | |
352 | <TD NOWRAP><TT>Send-Notifications</TT></TD> | |
353 | <TD>No</TD> | |
354 | <TD>Sends events for an event subscription.</TD> | |
355 | </TR> | |
356 | <TR> | |
357 | <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD> | |
358 | <TD>No</TD> | |
359 | <TD>Gets printer driver files for a Novell client.</TD> | |
360 | </TR> | |
361 | <TR> | |
362 | <TD NOWRAP><TT>Enable-Printer</TT></TD> | |
363 | <TD>Yes</TD> | |
364 | <TD>Starts a printer or class.</TD> | |
365 | </TR> | |
366 | <TR> | |
367 | <TD NOWRAP><TT>Disable-Printer</TT></TD> | |
368 | <TD>Yes</TD> | |
369 | <TD>Stops a printer or class.</TD> | |
370 | </TR> | |
371 | <TR> | |
372 | <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD> | |
373 | <TD>No</TD> | |
374 | <TD>Stops a printer or class after the current job is finished.</TD> | |
375 | </TR> | |
376 | <TR> | |
377 | <TD NOWRAP><TT>Hold-New-Jobs</TT></TD> | |
378 | <TD>No</TD> | |
379 | <TD>Holds new jobs submitted to a printer or class.</TD> | |
380 | </TR> | |
381 | <TR> | |
382 | <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD> | |
383 | <TD>No</TD> | |
384 | <TD>Releases jobs that were held because of the | |
385 | Hold-New-Jobs operation.</TD> | |
386 | </TR> | |
387 | <TR> | |
388 | <TD NOWRAP><TT>Deactivate-Printer</TT></TD> | |
389 | <TD>No</TD> | |
390 | <TD>Deactivates a printer or class.</TD> | |
391 | </TR> | |
392 | <TR> | |
393 | <TD NOWRAP><TT>Activate-Printer</TT></TD> | |
394 | <TD>No</TD> | |
395 | <TD>Activates a printer or class.</TD> | |
396 | </TR> | |
397 | <TR> | |
398 | <TD NOWRAP><TT>Restart-Printer</TT></TD> | |
399 | <TD>No</TD> | |
400 | <TD>Restarts a printer or class, resuming print jobs as needed.</TD> | |
401 | </TR> | |
402 | <TR> | |
403 | <TD NOWRAP><TT>Shutdown-Printer</TT></TD> | |
404 | <TD>No</TD> | |
405 | <TD>Powers a printer or class off.</TD> | |
406 | </TR> | |
407 | <TR> | |
408 | <TD NOWRAP><TT>Startup-Printer</TT></TD> | |
409 | <TD>No</TD> | |
410 | <TD>Powers a printer or class on.</TD> | |
411 | </TR> | |
412 | <TR> | |
413 | <TD NOWRAP><TT>Reprocess-Job</TT></TD> | |
414 | <TD>No</TD> | |
415 | <TD>Reprints a job on a different printer or class; CUPS has the | |
416 | CUPS-Move-Job operation instead.</TD> | |
417 | </TR> | |
418 | <TR> | |
419 | <TD NOWRAP><TT>Cancel-Current-Job</TT></TD> | |
420 | <TD>No</TD> | |
421 | <TD>Cancels the current job on a printer or class.</TD> | |
422 | </TR> | |
423 | <TR> | |
424 | <TD NOWRAP><TT>Suspend-Current-Job</TT></TD> | |
425 | <TD>No</TD> | |
426 | <TD>Stops the current job on a printer or class.</TD> | |
427 | </TR> | |
428 | <TR> | |
429 | <TD NOWRAP><TT>Resume-Job</TT></TD> | |
430 | <TD>No</TD> | |
431 | <TD>Resumes printing of a stopped job.</TD> | |
432 | </TR> | |
433 | <TR> | |
434 | <TD NOWRAP><TT>Promote-Job</TT></TD> | |
435 | <TD>No</TD> | |
436 | <TD>Prints a job before others.</TD> | |
437 | </TR> | |
438 | <TR> | |
439 | <TD NOWRAP><TT>Schedule-Job-After</TT></TD> | |
440 | <TD>No</TD> | |
441 | <TD>Prints a job after others.</TD> | |
442 | </TR> | |
443 | <TR> | |
444 | <TD NOWRAP><TT>CUPS-Get-Default</TT></TD> | |
445 | <TD>Yes</TD> | |
446 | <TD>Gets the server/network default printer or class.</TD> | |
447 | </TR> | |
448 | <TR> | |
449 | <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD> | |
450 | <TD>Yes</TD> | |
451 | <TD>Gets a list of printers and/or classes.</TD> | |
452 | </TR> | |
453 | <TR> | |
454 | <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD> | |
455 | <TD>Yes</TD> | |
456 | <TD>Adds or modifies a printer.</TD> | |
457 | </TR> | |
458 | <TR> | |
459 | <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD> | |
460 | <TD>Yes</TD> | |
461 | <TD>Removes a printer.</TD> | |
462 | </TR> | |
463 | <TR> | |
464 | <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD> | |
465 | <TD>Yes</TD> | |
466 | <TD>Gets a list of classes.</TD> | |
467 | </TR> | |
468 | <TR> | |
469 | <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD> | |
470 | <TD>Yes</TD> | |
471 | <TD>Adds or modifies a class.</TD> | |
472 | </TR> | |
473 | <TR> | |
474 | <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD> | |
475 | <TD>Yes</TD> | |
476 | <TD>Removes a class.</TD> | |
477 | </TR> | |
478 | <TR> | |
479 | <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD> | |
480 | <TD>Yes</TD> | |
481 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
482 | attribute to true.</TD> | |
483 | </TR> | |
484 | <TR> | |
485 | <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD> | |
486 | <TD>Yes</TD> | |
487 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
488 | attribute to false.</TD> | |
489 | </TR> | |
490 | <TR> | |
491 | <TD NOWRAP><TT>CUPS-Set-Default</TT></TD> | |
492 | <TD>Yes</TD> | |
493 | <TD>Sets the server/network default printer or class.</TD> | |
494 | </TR> | |
495 | <TR> | |
496 | <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD> | |
497 | <TD>Yes</TD> | |
498 | <TD>Gets a list of printer devices.</TD> | |
499 | </TR> | |
500 | <TR> | |
501 | <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD> | |
502 | <TD>Yes</TD> | |
503 | <TD>Gets a list of printer drivers or manufacturers.</TD> | |
504 | </TR> | |
505 | <TR> | |
506 | <TD NOWRAP><TT>CUPS-Move-Job</TT></TD> | |
507 | <TD>Yes</TD> | |
508 | <TD>Moves a job to a different printer or class.</TD> | |
509 | </TR> | |
510 | <TR> | |
511 | <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD> | |
512 | <TD>Yes</TD> | |
513 | <TD>Authenticates a job for printing.</TD> | |
514 | </TR> | |
515 | </TBODY> | |
516 | </TABLE></DIV> | |
517 | ||
518 | ||
519 | <H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2> | |
520 | ||
521 | <P>The easiest way to create a new policy is to start with the | |
522 | default policy and then make changes to the copy. The first | |
523 | change you'll make is to give the policy a new name. Policy names | |
524 | can use the same characters as a printer name, specifically all | |
525 | printable characters except space, slash (/), and pound (#):</P> | |
526 | ||
5a738aea | 527 | <PRE CLASS="example"> |
8ca02f3c | 528 | <Policy mypolicy> |
529 | </PRE> | |
530 | ||
531 | <P>Then you need to decide exactly what limits you want for the | |
532 | policy. For example, if you want to allow any user to cancel any | |
533 | other users' jobs, you can change the <TT>Cancel-Job</TT> limits | |
534 | to:</P> | |
535 | ||
5a738aea | 536 | <PRE CLASS="example"> |
8ca02f3c | 537 | <Limit Cancel-Job> |
538 | Order deny,allow | |
539 | </Limit> | |
540 | </PRE> | |
541 | ||
542 | <P>The directives inside the <TT>Limit</TT> subsection can use | |
543 | any of the normal limiting directives: <A | |
544 | HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A | |
545 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A | |
546 | HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A | |
547 | HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A | |
548 | HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A | |
549 | HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A | |
550 | HREF="#TABLE02">Table 2</A> lists some basic "recipes" for | |
551 | different access control rules.</P> | |
552 | ||
553 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes"> | |
554 | <CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION> | |
555 | <THEAD> | |
556 | <TR> | |
557 | <TH>Access Level</TH> | |
558 | <TH>Directives to Use</TH> | |
559 | </TR> | |
560 | </THEAD> | |
561 | <TBODY> | |
562 | <TR> | |
563 | <TD>Allow Everyone</TD> | |
564 | <TD><PRE>Order deny,allow | |
565 | Allow from all</PRE></TD> | |
566 | </TR> | |
567 | <TR> | |
568 | <TD>Allow Everyone on the Local Network</TD> | |
569 | <TD><PRE>Order deny,allow | |
570 | Allow from @LOCAL</PRE></TD> | |
571 | </TR> | |
572 | <TR> | |
573 | <TD>Deny Everyone/Disable Operation(s)</TD> | |
574 | <TD><PRE>Order allow,deny | |
575 | Deny from all</PRE></TD> | |
576 | </TR> | |
577 | <TR> | |
578 | <TD>Require Login (System) Password</TD> | |
579 | <TD><PRE>AuthType Basic</PRE></TD> | |
580 | </TR> | |
581 | <TR> | |
582 | <TD>Require CUPS (lppasswd) Password</TD> | |
583 | <TD><PRE>AuthType BasicDigest</PRE></TD> | |
584 | </TR> | |
585 | <TR> | |
586 | <TD>Require the Owner of a Job or Subscription</TD> | |
587 | <TD><PRE>Require user @OWNER</PRE></TD> | |
588 | </TR> | |
589 | <TR> | |
590 | <TD>Require an Administrative User</TD> | |
591 | <TD><PRE>Require user @SYSTEM</PRE></TD> | |
592 | </TR> | |
593 | <TR> | |
594 | <TD>Require Member of Group "foogroup"</TD> | |
595 | <TD><PRE>Require user @foogroup</PRE></TD> | |
596 | </TR> | |
597 | <TR> | |
598 | <TD>Require "john" or "mary"</TD> | |
599 | <TD><PRE>Require user john mary</PRE></TD> | |
600 | </TR> | |
601 | <TR> | |
602 | <TD>Require Encryption</TD> | |
603 | <TD><PRE>Encryption Required</PRE></TD> | |
604 | </TR> | |
605 | </TABLE></DIV> | |
606 | ||
607 | ||
608 | <H3>Creating a Policy for a Computer Lab</H3> | |
609 | ||
610 | <P>One common operating scenario is a computer lab. The lab is | |
611 | managed by one or more technicians that assist the users of the | |
612 | lab and handle the basic administration tasks. <A | |
613 | HREF="#LISTING02">Listing 2</A> shows an operation policy that | |
614 | only allows access from the lab's subnet, 10.0.2.x, and allows | |
615 | the lab technicians, who are members of a special UNIX group for | |
616 | that lab called "lab999", to do job, printer, and subscription | |
617 | management operations.</P> | |
618 | ||
5a738aea | 619 | <PRE CLASS="example"> |
8ca02f3c | 620 | <EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM> |
621 | ||
622 | 1 <Policy lab999> | |
623 | 2 # Job- and subscription-related operations must be done | |
355e94dc | 624 | by the owner, a lab technician, or an administrator... |
8ca02f3c | 625 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
626 | Restart-Job Purge-Jobs Set-Job-Attributes | |
627 | Create-Job-Subscription Renew-Subscription | |
628 | Cancel-Subscription Get-Notifications Reprocess-Job | |
629 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
630 | CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job> | |
631 | 4 Require user @OWNER @lab999 @SYSTEM | |
632 | 5 Order allow,deny | |
633 | 6 Allow from 10.0.2.0/24 | |
634 | 7 </Limit> | |
635 | 8 | |
636 | 9 # All administration operations require a lab technician | |
355e94dc | 637 | or an administrator to authenticate... |
8ca02f3c | 638 | 10 <Limit Pause-Printer Resume-Printer |
639 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
640 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
641 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
642 | Restart-Printer Shutdown-Printer Startup-Printer | |
643 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
644 | CUPS-Reject-Jobs CUPS-Set-Default> | |
355e94dc | 645 | 11 AuthType Default |
8ca02f3c | 646 | 12 Require user @lab999 @SYSTEM |
647 | 13 Order allow,deny | |
648 | 14 Allow from 10.0.2.0/24 | |
649 | 15 </Limit> | |
650 | 16 | |
651 | 17 # All other operations are allowed from the lab network... | |
652 | 18 <Limit All> | |
653 | 19 Order allow,deny | |
654 | 20 Allow from 10.0.2.0/24 | |
655 | 21 </Limit> | |
656 | 22 </Policy> | |
657 | </PRE> | |
658 | ||
659 | ||
660 | <H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2> | |
661 | ||
662 | <P>Once you have created a policy, you can use it in two ways. | |
663 | The first way is to assign it as the default policy for the | |
664 | system using the <A | |
665 | HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A> | |
666 | directive in the <VAR>cupsd.conf</VAR> file. For example, add the | |
667 | following line to the <VAR>cupsd.conf</VAR> file to use the | |
668 | "lab999" policy from the previous section:</P> | |
669 | ||
5a738aea | 670 | <PRE CLASS="example"> |
8ca02f3c | 671 | DefaultPolicy lab999 |
672 | </PRE> | |
673 | ||
674 | <P>To associate the policy with one or more printers, use either | |
675 | the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web | |
676 | interface to change the operation policy for each printer. When | |
677 | using the <B>lpadmin</B> command, the <TT>-o | |
678 | printer-op-policy=name</TT> option sets the operation policy for | |
679 | a printer. For example, enter the following command to use the | |
680 | "lab999" policy from the previous section with a printer named | |
681 | "LaserJet4000":</P> | |
682 | ||
683 | <PRE CLASS="command"> | |
684 | lpadmin -p LaserJet4000 -o printer-op-policy=lab999 | |
685 | </PRE> | |
686 | ||
687 | <P>To make the same change in the web interface, go to the | |
688 | printer's web page, for example | |
689 | "http://localhost:631/printers/LaserJet4000", and click on the | |
690 | <VAR>Set Printer Options</VAR> button. Scroll down to the bottom | |
691 | of the page and choose the desired policy from the pull-down | |
2e4ff8af | 692 | list. Click on <VAR>Set Printer Options</VAR> to change the policy for |
8ca02f3c | 693 | the printer.</P> |
694 | ||
695 | </BODY> | |
696 | </HTML> |