From 72a4b0af1a6cd07eee178cf3ff1df0e0857f5312 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 28 Jun 2017 18:06:29 -0400 Subject: [PATCH] Clarify "all privileges" in kadm5.acl docs In the kadm5.acl example, be more careful about saying "all privileges", as the recently added extract privilege is not covered by "*" or "x". ticket: 8594 (new) target_version: 1.15-next tags: pullup --- doc/admin/conf_files/kadm5_acl.rst | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst index d23fb8a578..138a2d76e8 100644 --- a/doc/admin/conf_files/kadm5_acl.rst +++ b/doc/admin/conf_files/kadm5_acl.rst @@ -116,16 +116,17 @@ Here is an example of a kadm5.acl file:: */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 -(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with -an ``admin`` instance has all administrative privileges. - -(lines 1-3) The user ``joeadmin`` has all permissions with his -``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line -1). He has no permissions at all with his null instance, -``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other -non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have -inquire permissions with any principal that has the instance ``root`` -(matches line 3). +(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an +``admin`` instance has all administrative privileges except extracting +keys. + +(lines 1-3) The user ``joeadmin`` has all permissions except +extracting keys with his ``admin`` instance, +``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no +permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` +(matches line 2). His ``root`` and other non-``admin``, non-null +instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions +with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other @@ -139,9 +140,9 @@ permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal -``sms@ATHENA.MIT.EDU`` has all permissions, but any principal that it -creates or modifies will not be able to get postdateable tickets or -tickets with a life of longer than 9 hours. +``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but +any principal that it creates or modifies will not be able to get +postdateable tickets or tickets with a life of longer than 9 hours. SEE ALSO -------- -- 2.47.2