Laura, If you can change the name of the principal Salt is using, then your authorisation rules would not require one to deny it any other permissions. The "admin" word isn't required to grant admin type permissions.
For example if you changed it to "saltstack/salt.admin" you'd only require, saltstack/salt.admin admcil */nfs Cheers, Kenny. On Mon, 2020-01-13 at 16:54 +0000, Laura Smith wrote: > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Monday, January 13, 2020 4:19 PM, Greg Hudson <ghud...@mit.edu> > wrote: > > > On 1/13/20 3:44 AM, Laura Smith wrote: > > > > > Am aware of the list ordering requirement, and to that extent the > > > ACL entry in question was quite deliberately placed at the top. > > > > kadmind will continue on if the operation's target doesn't match > > the > > entry's target. So if you have a later entry for, say, "/admin ", > > then the line "saltstack/admin ADMCIL nfs/" would serve to deny > > access > > to nfs/ principals (because of the uppercase permission bits), > > butwould have no effect on other target principals, or on > > operations with > > no target like list_principals. > > > > The documentation could probably be clarified here; it talks about > > "the > > first matching entry", but doesn't say what has to match. > > Aah, so are we saying I should try something like : > saltstack/admin admcil nfs/* > saltstack/admin ADMCIL * > > Bescially my end goal is to allow saltstack/admin to do what it likes > (within reason) for nfs/* but keep it well away from anything more > "important" (such as */admin). > > > > > > > admcil nfs/@KRBTEST.COM, are you saying I should not be putting > > > the wildcard asterisk after nfs/ ? > > > > The wildcard asterix was there in the mail I sent out (I checked my > > outgoing mail), but was apparently mangled by a piece of email > > software. > > Yes, you're right. Have read your original and indeed asterisk is > there. > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
