]>
Commit | Line | Data |
---|---|---|
8ca02f3c | 1 | <HTML> |
2 | <!-- SECTION: Getting Started --> | |
3 | <HEAD> | |
4 | <TITLE>Managing Operation Policies</TITLE> | |
5 | </HEAD> | |
6 | <BODY> | |
7 | ||
8 | <P>Operation policies are the rules used for each IPP operation | |
9 | in CUPS. These rules include things like "user must provide a | |
10 | password", "user must be in the system group", "allow only from | |
11 | the local system", and so forth. Until CUPS 1.2, these rules were | |
12 | largely hardcoded and could only be customized at a very basic | |
13 | level.</P> | |
14 | ||
15 | <P>CUPS 1.2 adds a new fine-grained policy layer which allows you | |
16 | to completely redefine the rules for each operation and/or | |
17 | printer. Each policy is named and defines access control rules | |
18 | for each IPP operation. This document describes how to manage | |
19 | policies and their rules.</P> | |
20 | ||
21 | <H2 CLASS="title"><A NAME="BASICS">The Basics</A></H2> | |
22 | ||
23 | <P>Operation policies are used for all IPP requests sent to the | |
24 | scheduler and are evaluated <em>after</em> the <A | |
25 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> based | |
26 | access control rules. This means that operation policies can only | |
27 | add additional security restrictions to a request, never relax | |
28 | them. Use <TT>Location</TT> based access control rules for | |
29 | server-wide limits and operation policies for limits on | |
30 | individual printers, tasks, or services.</P> | |
31 | ||
32 | <P>Policies are stored in the <VAR>cupsd.conf</VAR> file in <A | |
33 | HREF="ref-cupsd-conf.html#Policy"><TT>Policy</TT></A> sections. | |
34 | Each policy has an alphanumeric name that is used to select it. | |
35 | Inside the policy section are one or more <A | |
36 | HREF="ref-cupsd-conf.html#LimitIPP"><TT>Limit</TT></A> | |
37 | subsections which list the operations that are affected by the | |
38 | rules inside it. <A HREF="#LISTING01">Listing 1</A> shows the | |
39 | default operation policy, appropriately called "default", that is | |
40 | shipped with CUPS.</P> | |
41 | ||
42 | <P>The easiest way to add a policy to the <VAR>cupsd.conf</VAR> | |
43 | file is to use the web interface. Click on the | |
44 | <VAR>Administration</VAR> tab and then the <VAR>Edit | |
45 | Configuration File</VAR> button to edit the current | |
46 | <VAR>cupsd.conf</VAR> file. Click on the <VAR>Save Changes</VAR> | |
47 | button to save the changes and restart the scheduler. If you edit | |
48 | the <VAR>cupsd.conf</VAR> file from the console, make sure to <A | |
49 | HREF="ref-cupsd-conf.html">restart the cupsd process</A> before | |
50 | trying to use the new policy.</P> | |
51 | ||
52 | <PRE CLASS="command"> | |
53 | <EM>Listing 1: <A NAME="LISTING01">Default Operation Policy</A></EM> | |
54 | ||
55 | 1 <Policy default> | |
56 | 2 # Job-related operations must be done by the owner or an | |
355e94dc | 57 | administrator... |
8ca02f3c | 58 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
59 | Restart-Job Purge-Jobs Set-Job-Attributes | |
60 | Create-Job-Subscription Renew-Subscription | |
61 | Cancel-Subscription Get-Notifications Reprocess-Job | |
62 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
63 | CUPS-Move-Job> | |
64 | 4 Require user @OWNER @SYSTEM | |
65 | 5 Order deny,allow | |
66 | 6 </Limit> | |
67 | 7 | |
355e94dc | 68 | 8 # All administration operations require an administrator |
8ca02f3c | 69 | to authenticate... |
355e94dc MS |
70 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
71 | CUPS-Delete-Class CUPS-Set-Default> | |
72 | 10 AuthType Default | |
8ca02f3c | 73 | 11 Require user @SYSTEM |
74 | 12 Order deny,allow | |
75 | 13 </Limit> | |
76 | 14 | |
355e94dc MS |
77 | 15 # All printer operations require a printer operator |
78 | to authenticate... | |
79 | 16 <Limit Pause-Printer Resume-Printer | |
80 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
81 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
82 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
83 | Restart-Printer Shutdown-Printer Startup-Printer | |
84 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
85 | CUPS-Reject-Jobs> | |
86 | 17 AuthType Default | |
87 | 18 Require user <em>varies by OS</em> | |
88 | 19 Order deny,allow | |
89 | 20 </Limit> | |
90 | 21 | |
91 | 22 # Only the owner or an administrator can cancel or | |
8ca02f3c | 92 | authenticate a job... |
355e94dc MS |
93 | 23 <Limit Cancel-Job CUPS-Authenticate-Job> |
94 | 24 Require user @OWNER @SYSTEM | |
95 | 25 Order deny,allow | |
96 | 26 </Limit> | |
97 | 27 | |
98 | 28 <Limit All> | |
99 | 29 Order deny,allow | |
100 | 30 </Limit> | |
101 | 31 </Policy> | |
8ca02f3c | 102 | </PRE> |
103 | ||
104 | <H3>The Default CUPS Operation Policy</H3> | |
105 | ||
106 | <P>The policy definition starts with an opening <TT>Policy</TT> | |
107 | directive:</P> | |
108 | ||
109 | <PRE CLASS="command"> | |
110 | 1 <Policy default> | |
111 | </PRE> | |
112 | ||
113 | <P>The first <TT>Limit</TT> subsection defines the rules for IPP | |
114 | job operations:</P> | |
115 | ||
116 | <PRE CLASS="command"> | |
117 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job | |
118 | Restart-Job Purge-Jobs Set-Job-Attributes | |
119 | Create-Job-Subscription Renew-Subscription | |
120 | Cancel-Subscription Get-Notifications Reprocess-Job | |
121 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
122 | CUPS-Move-Job> | |
123 | 4 Require user @OWNER @SYSTEM | |
124 | 5 Order deny,allow | |
125 | 6 </Limit> | |
126 | </PRE> | |
127 | ||
128 | <P>The operation names are listed on a single line | |
129 | with spaces separating them. Each name corresponds to the IPP | |
130 | operation described in any of the IETF or PWG standards documents | |
131 | for the Internet Printing Protocol. <A HREF="#TABLE01">Table | |
132 | 1</A> lists all of the operations that have been defined along | |
133 | with their usage in CUPS.</P> | |
134 | ||
135 | <P>The access control rules are listed after the <TT>Limit</TT> | |
136 | line and are the same as those used for <A | |
137 | HREF="ref-cupsd-conf.html#Location"><TT>Location</TT></A> | |
138 | sections. In this case, we require the owner of the job | |
139 | ("@OWNER") or a member of the <A | |
140 | HREF="ref-cupsd-conf.html#SystemGroup"><TT>SystemGroup</TT></A> | |
141 | ("@SYSTEM") to do the operation. Because we do not include an <A | |
142 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A> | |
143 | directive here, the user information can come from the IPP | |
144 | request itself or the authenticated username from the HTTP | |
145 | request. The administrative operations starting on line 9, | |
146 | however, <em>do</em> use the <TT>AuthType</TT> directive, and so | |
147 | administrative operations need to be authenticated:</P> | |
148 | ||
149 | <PRE CLASS="command"> | |
355e94dc MS |
150 | 9 <Limit CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class |
151 | CUPS-Delete-Class CUPS-Set-Default> | |
152 | 10 AuthType Default | |
153 | 11 Require user @SYSTEM | |
154 | 12 Order deny,allow | |
155 | 13 </Limit> | |
156 | 14 | |
157 | 15 # All printer operations require a printer operator | |
158 | to authenticate... | |
159 | 16 <Limit Pause-Printer Resume-Printer | |
8ca02f3c | 160 | Set-Printer-Attributes Enable-Printer Disable-Printer |
161 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
162 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
163 | Restart-Printer Shutdown-Printer Startup-Printer | |
355e94dc MS |
164 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs |
165 | CUPS-Reject-Jobs> | |
166 | 17 AuthType Default | |
167 | 18 Require user <em>varies by OS</em> | |
168 | 19 Order deny,allow | |
169 | 20 </Limit> | |
8ca02f3c | 170 | </PRE> |
171 | ||
172 | <P>The "Order deny,allow" line at the end of both <TT>Limit</TT> | |
173 | subsections allows the request to come from any system allowed by | |
174 | the <TT>Location</TT> sections elsewhere in the | |
175 | <VAR>cupsd.conf</VAR> file.</P> | |
176 | ||
177 | <P>The <TT>Cancel-Job</TT> and <TT>CUPS-Authenticate-Job</TT> | |
178 | operations are listed separately to allow the web interface to | |
179 | more easily edit their policy without disturbing the rest. Like | |
180 | the rest of the job operations, we want the job's owner | |
181 | ("@OWNER") or an administrator ("@SYSTEM") to do it:</P> | |
182 | ||
183 | <PRE CLASS="command"> | |
184 | 16 <Limit Cancel-Job CUPS-Authenticate-Job> | |
185 | 17 Require user @OWNER @SYSTEM | |
186 | 18 Order deny,allow | |
187 | 19 </Limit> | |
188 | </PRE> | |
189 | ||
190 | <P>The last <TT>Limit</TT> subsection in any policy uses the | |
191 | special operation name <TT>All</TT>. CUPS will use the rules in | |
192 | this subsection for any operation you don't list specifically in | |
193 | the policy. In this case, all other operations are allowed | |
194 | without a username or authentication:</P> | |
195 | ||
196 | <PRE CLASS="command"> | |
197 | 21 <Limit All> | |
198 | 22 Order deny,allow | |
199 | 23 </Limit> | |
200 | 24 </Policy> | |
201 | </PRE> | |
202 | ||
203 | ||
204 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="IPP Operation Names"> | |
205 | <CAPTION>Table 1: <A NAME="TABLE01">IPP Operation Names</A></CAPTION> | |
206 | <THEAD> | |
207 | <TR> | |
208 | <TH>Name</TH> | |
209 | <TH>Used by CUPS?</TH> | |
210 | <TH>Description</TH> | |
211 | </TR> | |
212 | </THEAD> | |
213 | <TBODY> | |
214 | <TR> | |
215 | <TD NOWRAP><TT>Print-Job</TT></TD> | |
216 | <TD>Yes</TD> | |
217 | <TD>Creates a print job with a single file.</TD> | |
218 | </TR> | |
219 | <TR> | |
220 | <TD NOWRAP><TT>Print-URI</TT></TD> | |
221 | <TD>No</TD> | |
222 | <TD>Create a print job with a single URI.</TD> | |
223 | </TR> | |
224 | <TR> | |
225 | <TD NOWRAP><TT>Validate-Job</TT></TD> | |
226 | <TD>Yes</TD> | |
227 | <TD>Validates a print request before printing.</TD> | |
228 | </TR> | |
229 | <TR> | |
230 | <TD NOWRAP><TT>Create-Job</TT></TD> | |
231 | <TD>Yes</TD> | |
232 | <TD>Creates a print job with no files or URIs.</TD> | |
233 | </TR> | |
234 | <TR> | |
235 | <TD NOWRAP><TT>Send-Document</TT></TD> | |
236 | <TD>Yes</TD> | |
237 | <TD>Adds a file to a print job.</TD> | |
238 | </TR> | |
239 | <TR> | |
240 | <TD NOWRAP><TT>Send-URI</TT></TD> | |
241 | <TD>No</TD> | |
242 | <TD>Adds a URI to a print job.</TD> | |
243 | </TR> | |
244 | <TR> | |
245 | <TD NOWRAP><TT>Cancel-Job</TT></TD> | |
246 | <TD>Yes</TD> | |
247 | <TD>Cancels a print job.</TD> | |
248 | </TR> | |
249 | <TR> | |
250 | <TD NOWRAP><TT>Get-Job-Attributes</TT></TD> | |
251 | <TD>Yes</TD> | |
252 | <TD>Gets information and options associated with a job.</TD> | |
253 | </TR> | |
254 | <TR> | |
255 | <TD NOWRAP><TT>Get-Jobs</TT></TD> | |
256 | <TD>Yes</TD> | |
257 | <TD>Gets a list of jobs.</TD> | |
258 | </TR> | |
259 | <TR> | |
260 | <TD NOWRAP><TT>Get-Printer-Attributes</TT></TD> | |
261 | <TD>Yes</TD> | |
262 | <TD>Gets information and options associated with a printer or class.</TD> | |
263 | </TR> | |
264 | <TR> | |
265 | <TD NOWRAP><TT>Hold-Job</TT></TD> | |
266 | <TD>Yes</TD> | |
267 | <TD>Holds a print job for printing.</TD> | |
268 | </TR> | |
269 | <TR> | |
270 | <TD NOWRAP><TT>Release-Job</TT></TD> | |
271 | <TD>Yes</TD> | |
272 | <TD>Releases a print job for printing.</TD> | |
273 | </TR> | |
274 | <TR> | |
275 | <TD NOWRAP><TT>Restart-Job</TT></TD> | |
276 | <TD>Yes</TD> | |
277 | <TD>Reprints a print job.</TD> | |
278 | </TR> | |
279 | <TR> | |
280 | <TD NOWRAP><TT>Pause-Printer</TT></TD> | |
281 | <TD>Yes</TD> | |
282 | <TD>Stops a printer or class.</TD> | |
283 | </TR> | |
284 | <TR> | |
285 | <TD NOWRAP><TT>Resume-Printer</TT></TD> | |
286 | <TD>Yes</TD> | |
287 | <TD>Starts a printer or class.</TD> | |
288 | </TR> | |
289 | <TR> | |
290 | <TD NOWRAP><TT>Purge-Jobs</TT></TD> | |
291 | <TD>Yes</TD> | |
292 | <TD>Cancels all jobs on the server or a printer or class | |
293 | and removes the job history information.</TD> | |
294 | </TR> | |
295 | <TR> | |
296 | <TD NOWRAP><TT>Set-Printer-Attributes</TT></TD> | |
297 | <TD>No</TD> | |
298 | <TD>Sets printer or class information; CUPS uses | |
299 | CUPS-Add-Modify-Printer and CUPS-Add-Modify-Class | |
300 | instead.</TD> | |
301 | </TR> | |
302 | <TR> | |
303 | <TD NOWRAP><TT>Set-Job-Attributes</TT></TD> | |
304 | <TD>Yes</TD> | |
305 | <TD>Changes job options.</TD> | |
306 | </TR> | |
307 | <TR> | |
308 | <TD NOWRAP><TT>Get-Printer-Supported-Values</TT></TD> | |
309 | <TD>No</TD> | |
310 | <TD>Gets -supported attributes for a printer based on job | |
311 | options.</TD> | |
312 | </TR> | |
313 | <TR> | |
314 | <TD NOWRAP><TT>Create-Printer-Subscription</TT></TD> | |
315 | <TD>Yes</TD> | |
316 | <TD>Creates an event subscription for a printer or the server.</TD> | |
317 | </TR> | |
318 | <TR> | |
319 | <TD NOWRAP><TT>Create-Job-Subscription</TT></TD> | |
320 | <TD>Yes</TD> | |
321 | <TD>Creates an event subscription for a job.</TD> | |
322 | </TR> | |
323 | <TR> | |
324 | <TD NOWRAP><TT>Get-Subscription-Attributes</TT></TD> | |
325 | <TD>Yes</TD> | |
326 | <TD>Gets information for an event subscription.</TD> | |
327 | </TR> | |
328 | <TR> | |
329 | <TD NOWRAP><TT>Get-Subscriptions</TT></TD> | |
330 | <TD>Yes</TD> | |
331 | <TD>Gets a list of event subscriptions.</TD> | |
332 | </TR> | |
333 | <TR> | |
334 | <TD NOWRAP><TT>Renew-Subscription</TT></TD> | |
335 | <TD>Yes</TD> | |
336 | <TD>Renews an event subscription that is about to expire.</TD> | |
337 | </TR> | |
338 | <TR> | |
339 | <TD NOWRAP><TT>Cancel-Subscription</TT></TD> | |
340 | <TD>Yes</TD> | |
341 | <TD>Cancels an event subscription.</TD> | |
342 | </TR> | |
343 | <TR> | |
344 | <TD NOWRAP><TT>Get-Notifications</TT></TD> | |
345 | <TD>Yes</TD> | |
346 | <TD>Gets (pending) events for an event subscription.</TD> | |
347 | </TR> | |
348 | <TR> | |
349 | <TD NOWRAP><TT>Send-Notifications</TT></TD> | |
350 | <TD>No</TD> | |
351 | <TD>Sends events for an event subscription.</TD> | |
352 | </TR> | |
353 | <TR> | |
354 | <TD NOWRAP><TT>Get-Printer-Support-Files</TT></TD> | |
355 | <TD>No</TD> | |
356 | <TD>Gets printer driver files for a Novell client.</TD> | |
357 | </TR> | |
358 | <TR> | |
359 | <TD NOWRAP><TT>Enable-Printer</TT></TD> | |
360 | <TD>Yes</TD> | |
361 | <TD>Starts a printer or class.</TD> | |
362 | </TR> | |
363 | <TR> | |
364 | <TD NOWRAP><TT>Disable-Printer</TT></TD> | |
365 | <TD>Yes</TD> | |
366 | <TD>Stops a printer or class.</TD> | |
367 | </TR> | |
368 | <TR> | |
369 | <TD NOWRAP><TT>Pause-Printer-After-Current-Job</TT></TD> | |
370 | <TD>No</TD> | |
371 | <TD>Stops a printer or class after the current job is finished.</TD> | |
372 | </TR> | |
373 | <TR> | |
374 | <TD NOWRAP><TT>Hold-New-Jobs</TT></TD> | |
375 | <TD>No</TD> | |
376 | <TD>Holds new jobs submitted to a printer or class.</TD> | |
377 | </TR> | |
378 | <TR> | |
379 | <TD NOWRAP><TT>Release-Held-New-Jobs</TT></TD> | |
380 | <TD>No</TD> | |
381 | <TD>Releases jobs that were held because of the | |
382 | Hold-New-Jobs operation.</TD> | |
383 | </TR> | |
384 | <TR> | |
385 | <TD NOWRAP><TT>Deactivate-Printer</TT></TD> | |
386 | <TD>No</TD> | |
387 | <TD>Deactivates a printer or class.</TD> | |
388 | </TR> | |
389 | <TR> | |
390 | <TD NOWRAP><TT>Activate-Printer</TT></TD> | |
391 | <TD>No</TD> | |
392 | <TD>Activates a printer or class.</TD> | |
393 | </TR> | |
394 | <TR> | |
395 | <TD NOWRAP><TT>Restart-Printer</TT></TD> | |
396 | <TD>No</TD> | |
397 | <TD>Restarts a printer or class, resuming print jobs as needed.</TD> | |
398 | </TR> | |
399 | <TR> | |
400 | <TD NOWRAP><TT>Shutdown-Printer</TT></TD> | |
401 | <TD>No</TD> | |
402 | <TD>Powers a printer or class off.</TD> | |
403 | </TR> | |
404 | <TR> | |
405 | <TD NOWRAP><TT>Startup-Printer</TT></TD> | |
406 | <TD>No</TD> | |
407 | <TD>Powers a printer or class on.</TD> | |
408 | </TR> | |
409 | <TR> | |
410 | <TD NOWRAP><TT>Reprocess-Job</TT></TD> | |
411 | <TD>No</TD> | |
412 | <TD>Reprints a job on a different printer or class; CUPS has the | |
413 | CUPS-Move-Job operation instead.</TD> | |
414 | </TR> | |
415 | <TR> | |
416 | <TD NOWRAP><TT>Cancel-Current-Job</TT></TD> | |
417 | <TD>No</TD> | |
418 | <TD>Cancels the current job on a printer or class.</TD> | |
419 | </TR> | |
420 | <TR> | |
421 | <TD NOWRAP><TT>Suspend-Current-Job</TT></TD> | |
422 | <TD>No</TD> | |
423 | <TD>Stops the current job on a printer or class.</TD> | |
424 | </TR> | |
425 | <TR> | |
426 | <TD NOWRAP><TT>Resume-Job</TT></TD> | |
427 | <TD>No</TD> | |
428 | <TD>Resumes printing of a stopped job.</TD> | |
429 | </TR> | |
430 | <TR> | |
431 | <TD NOWRAP><TT>Promote-Job</TT></TD> | |
432 | <TD>No</TD> | |
433 | <TD>Prints a job before others.</TD> | |
434 | </TR> | |
435 | <TR> | |
436 | <TD NOWRAP><TT>Schedule-Job-After</TT></TD> | |
437 | <TD>No</TD> | |
438 | <TD>Prints a job after others.</TD> | |
439 | </TR> | |
440 | <TR> | |
441 | <TD NOWRAP><TT>CUPS-Get-Default</TT></TD> | |
442 | <TD>Yes</TD> | |
443 | <TD>Gets the server/network default printer or class.</TD> | |
444 | </TR> | |
445 | <TR> | |
446 | <TD NOWRAP><TT>CUPS-Get-Printers</TT></TD> | |
447 | <TD>Yes</TD> | |
448 | <TD>Gets a list of printers and/or classes.</TD> | |
449 | </TR> | |
450 | <TR> | |
451 | <TD NOWRAP><TT>CUPS-Add-Modify-Printer</TT></TD> | |
452 | <TD>Yes</TD> | |
453 | <TD>Adds or modifies a printer.</TD> | |
454 | </TR> | |
455 | <TR> | |
456 | <TD NOWRAP><TT>CUPS-Delete-Printer</TT></TD> | |
457 | <TD>Yes</TD> | |
458 | <TD>Removes a printer.</TD> | |
459 | </TR> | |
460 | <TR> | |
461 | <TD NOWRAP><TT>CUPS-Get-Classes</TT></TD> | |
462 | <TD>Yes</TD> | |
463 | <TD>Gets a list of classes.</TD> | |
464 | </TR> | |
465 | <TR> | |
466 | <TD NOWRAP><TT>CUPS-Add-Modify-Class</TT></TD> | |
467 | <TD>Yes</TD> | |
468 | <TD>Adds or modifies a class.</TD> | |
469 | </TR> | |
470 | <TR> | |
471 | <TD NOWRAP><TT>CUPS-Delete-Class</TT></TD> | |
472 | <TD>Yes</TD> | |
473 | <TD>Removes a class.</TD> | |
474 | </TR> | |
475 | <TR> | |
476 | <TD NOWRAP><TT>CUPS-Accept-Jobs</TT></TD> | |
477 | <TD>Yes</TD> | |
478 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
479 | attribute to true.</TD> | |
480 | </TR> | |
481 | <TR> | |
482 | <TD NOWRAP><TT>CUPS-Reject-Jobs</TT></TD> | |
483 | <TD>Yes</TD> | |
484 | <TD>Sets a printer's or class' printer-is-accepting-jobs | |
485 | attribute to false.</TD> | |
486 | </TR> | |
487 | <TR> | |
488 | <TD NOWRAP><TT>CUPS-Set-Default</TT></TD> | |
489 | <TD>Yes</TD> | |
490 | <TD>Sets the server/network default printer or class.</TD> | |
491 | </TR> | |
492 | <TR> | |
493 | <TD NOWRAP><TT>CUPS-Get-Devices</TT></TD> | |
494 | <TD>Yes</TD> | |
495 | <TD>Gets a list of printer devices.</TD> | |
496 | </TR> | |
497 | <TR> | |
498 | <TD NOWRAP><TT>CUPS-Get-PPDs</TT></TD> | |
499 | <TD>Yes</TD> | |
500 | <TD>Gets a list of printer drivers or manufacturers.</TD> | |
501 | </TR> | |
502 | <TR> | |
503 | <TD NOWRAP><TT>CUPS-Move-Job</TT></TD> | |
504 | <TD>Yes</TD> | |
505 | <TD>Moves a job to a different printer or class.</TD> | |
506 | </TR> | |
507 | <TR> | |
508 | <TD NOWRAP><TT>CUPS-Authenticate-Job</TT></TD> | |
509 | <TD>Yes</TD> | |
510 | <TD>Authenticates a job for printing.</TD> | |
511 | </TR> | |
512 | </TBODY> | |
513 | </TABLE></DIV> | |
514 | ||
515 | ||
516 | <H2 CLASS="title"><A NAME="CREATING">Creating Your Own Policies</A></H2> | |
517 | ||
518 | <P>The easiest way to create a new policy is to start with the | |
519 | default policy and then make changes to the copy. The first | |
520 | change you'll make is to give the policy a new name. Policy names | |
521 | can use the same characters as a printer name, specifically all | |
522 | printable characters except space, slash (/), and pound (#):</P> | |
523 | ||
524 | <PRE CLASS="command"> | |
525 | <Policy mypolicy> | |
526 | </PRE> | |
527 | ||
528 | <P>Then you need to decide exactly what limits you want for the | |
529 | policy. For example, if you want to allow any user to cancel any | |
530 | other users' jobs, you can change the <TT>Cancel-Job</TT> limits | |
531 | to:</P> | |
532 | ||
533 | <PRE CLASS="command"> | |
534 | <Limit Cancel-Job> | |
535 | Order deny,allow | |
536 | </Limit> | |
537 | </PRE> | |
538 | ||
539 | <P>The directives inside the <TT>Limit</TT> subsection can use | |
540 | any of the normal limiting directives: <A | |
541 | HREF="ref-cupsd-conf.html#Allow"><TT>Allow</TT></A>, <A | |
542 | HREF="ref-cupsd-conf.html#AuthType"><TT>AuthType</TT></A>, <A | |
543 | HREF="ref-cupsd-conf.html#Deny"><TT>Deny</TT></A>, <A | |
544 | HREF="ref-cupsd-conf.html#Encryption"><TT>Encryption</TT></A>, <A | |
545 | HREF="ref-cupsd-conf.html#Require"><TT>Require</TT></A>, and <A | |
546 | HREF="ref-cupsd-conf.html#Satisfy"><TT>Satisfy</TT></A>. <A | |
547 | HREF="#TABLE02">Table 2</A> lists some basic "recipes" for | |
548 | different access control rules.</P> | |
549 | ||
550 | <DIV CLASS="table"><TABLE WIDTH="80%" SUMMARY="Access Control Recipes"> | |
551 | <CAPTION>Table 2: <A NAME="TABLE02">Access Control Recipes</A></CAPTION> | |
552 | <THEAD> | |
553 | <TR> | |
554 | <TH>Access Level</TH> | |
555 | <TH>Directives to Use</TH> | |
556 | </TR> | |
557 | </THEAD> | |
558 | <TBODY> | |
559 | <TR> | |
560 | <TD>Allow Everyone</TD> | |
561 | <TD><PRE>Order deny,allow | |
562 | Allow from all</PRE></TD> | |
563 | </TR> | |
564 | <TR> | |
565 | <TD>Allow Everyone on the Local Network</TD> | |
566 | <TD><PRE>Order deny,allow | |
567 | Allow from @LOCAL</PRE></TD> | |
568 | </TR> | |
569 | <TR> | |
570 | <TD>Deny Everyone/Disable Operation(s)</TD> | |
571 | <TD><PRE>Order allow,deny | |
572 | Deny from all</PRE></TD> | |
573 | </TR> | |
574 | <TR> | |
575 | <TD>Require Login (System) Password</TD> | |
576 | <TD><PRE>AuthType Basic</PRE></TD> | |
577 | </TR> | |
578 | <TR> | |
579 | <TD>Require CUPS (lppasswd) Password</TD> | |
580 | <TD><PRE>AuthType BasicDigest</PRE></TD> | |
581 | </TR> | |
582 | <TR> | |
583 | <TD>Require the Owner of a Job or Subscription</TD> | |
584 | <TD><PRE>Require user @OWNER</PRE></TD> | |
585 | </TR> | |
586 | <TR> | |
587 | <TD>Require an Administrative User</TD> | |
588 | <TD><PRE>Require user @SYSTEM</PRE></TD> | |
589 | </TR> | |
590 | <TR> | |
591 | <TD>Require Member of Group "foogroup"</TD> | |
592 | <TD><PRE>Require user @foogroup</PRE></TD> | |
593 | </TR> | |
594 | <TR> | |
595 | <TD>Require "john" or "mary"</TD> | |
596 | <TD><PRE>Require user john mary</PRE></TD> | |
597 | </TR> | |
598 | <TR> | |
599 | <TD>Require Encryption</TD> | |
600 | <TD><PRE>Encryption Required</PRE></TD> | |
601 | </TR> | |
602 | </TABLE></DIV> | |
603 | ||
604 | ||
605 | <H3>Creating a Policy for a Computer Lab</H3> | |
606 | ||
607 | <P>One common operating scenario is a computer lab. The lab is | |
608 | managed by one or more technicians that assist the users of the | |
609 | lab and handle the basic administration tasks. <A | |
610 | HREF="#LISTING02">Listing 2</A> shows an operation policy that | |
611 | only allows access from the lab's subnet, 10.0.2.x, and allows | |
612 | the lab technicians, who are members of a special UNIX group for | |
613 | that lab called "lab999", to do job, printer, and subscription | |
614 | management operations.</P> | |
615 | ||
616 | <PRE CLASS="command"> | |
617 | <EM>Listing 2: <A NAME="LISTING02">Operation Policy for a Lab</A></EM> | |
618 | ||
619 | 1 <Policy lab999> | |
620 | 2 # Job- and subscription-related operations must be done | |
355e94dc | 621 | by the owner, a lab technician, or an administrator... |
8ca02f3c | 622 | 3 <Limit Send-Document Send-URI Hold-Job Release-Job |
623 | Restart-Job Purge-Jobs Set-Job-Attributes | |
624 | Create-Job-Subscription Renew-Subscription | |
625 | Cancel-Subscription Get-Notifications Reprocess-Job | |
626 | Cancel-Current-Job Suspend-Current-Job Resume-Job | |
627 | CUPS-Move-Job Cancel-Job CUPS-Authenticate-Job> | |
628 | 4 Require user @OWNER @lab999 @SYSTEM | |
629 | 5 Order allow,deny | |
630 | 6 Allow from 10.0.2.0/24 | |
631 | 7 </Limit> | |
632 | 8 | |
633 | 9 # All administration operations require a lab technician | |
355e94dc | 634 | or an administrator to authenticate... |
8ca02f3c | 635 | 10 <Limit Pause-Printer Resume-Printer |
636 | Set-Printer-Attributes Enable-Printer Disable-Printer | |
637 | Pause-Printer-After-Current-Job Hold-New-Jobs | |
638 | Release-Held-New-Jobs Deactivate-Printer Activate-Printer | |
639 | Restart-Printer Shutdown-Printer Startup-Printer | |
640 | Promote-Job Schedule-Job-After CUPS-Accept-Jobs | |
641 | CUPS-Reject-Jobs CUPS-Set-Default> | |
355e94dc | 642 | 11 AuthType Default |
8ca02f3c | 643 | 12 Require user @lab999 @SYSTEM |
644 | 13 Order allow,deny | |
645 | 14 Allow from 10.0.2.0/24 | |
646 | 15 </Limit> | |
647 | 16 | |
648 | 17 # All other operations are allowed from the lab network... | |
649 | 18 <Limit All> | |
650 | 19 Order allow,deny | |
651 | 20 Allow from 10.0.2.0/24 | |
652 | 21 </Limit> | |
653 | 22 </Policy> | |
654 | </PRE> | |
655 | ||
656 | ||
657 | <H2 CLASS="title"><A NAME="SELECT">Using Policies</A></H2> | |
658 | ||
659 | <P>Once you have created a policy, you can use it in two ways. | |
660 | The first way is to assign it as the default policy for the | |
661 | system using the <A | |
662 | HREF="ref-cupsd-conf.html#DefaultPolicy"><TT>DefaultPolicy</TT></A> | |
663 | directive in the <VAR>cupsd.conf</VAR> file. For example, add the | |
664 | following line to the <VAR>cupsd.conf</VAR> file to use the | |
665 | "lab999" policy from the previous section:</P> | |
666 | ||
667 | <PRE CLASS="command"> | |
668 | DefaultPolicy lab999 | |
669 | </PRE> | |
670 | ||
671 | <P>To associate the policy with one or more printers, use either | |
672 | the <A HREF="man-lpadmin.html">lpadmin(8)</A> command or the web | |
673 | interface to change the operation policy for each printer. When | |
674 | using the <B>lpadmin</B> command, the <TT>-o | |
675 | printer-op-policy=name</TT> option sets the operation policy for | |
676 | a printer. For example, enter the following command to use the | |
677 | "lab999" policy from the previous section with a printer named | |
678 | "LaserJet4000":</P> | |
679 | ||
680 | <PRE CLASS="command"> | |
681 | lpadmin -p LaserJet4000 -o printer-op-policy=lab999 | |
682 | </PRE> | |
683 | ||
684 | <P>To make the same change in the web interface, go to the | |
685 | printer's web page, for example | |
686 | "http://localhost:631/printers/LaserJet4000", and click on the | |
687 | <VAR>Set Printer Options</VAR> button. Scroll down to the bottom | |
688 | of the page and choose the desired policy from the pull-down | |
2e4ff8af | 689 | list. Click on <VAR>Set Printer Options</VAR> to change the policy for |
8ca02f3c | 690 | the printer.</P> |
691 | ||
692 | </BODY> | |
693 | </HTML> |