Kenny, Sounds like a cunning plan ! Will go experiment.
Thanks Laura ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, January 13, 2020 5:23 PM, Kenneth MacDonald <kenneth.macdon...@ed.ac.uk> wrote: > Laura, > > If you can change the name of the principal Salt is using, then your > authorisation rules would not require one to deny it any other > permissions. The "admin" word isn't required to grant admin type > permissions. > > For example if you changed it to "saltstack/salt.admin" you'd only > require, > > saltstack/salt.admin admcil */nfs > > Cheers, > > Kenny. > > On Mon, 2020-01-13 at 16:54 +0000, Laura Smith wrote: > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, January 13, 2020 4:19 PM, Greg Hudson ghud...@mit.edu > > wrote: > > > > > On 1/13/20 3:44 AM, Laura Smith wrote: > > > > > > > Am aware of the list ordering requirement, and to that extent the > > > > ACL entry in question was quite deliberately placed at the top. > > > > > > kadmind will continue on if the operation's target doesn't match > > > the > > > entry's target. So if you have a later entry for, say, "/admin ", > > > then the line "saltstack/admin ADMCIL nfs/" would serve to deny > > > access > > > to nfs/ principals (because of the uppercase permission bits), > > > butwould have no effect on other target principals, or on > > > operations with > > > no target like list_principals. > > > The documentation could probably be clarified here; it talks about > > > "the > > > first matching entry", but doesn't say what has to match. > > > > Aah, so are we saying I should try something like : > > saltstack/admin admcil nfs/* > > saltstack/admin ADMCIL * > > Bescially my end goal is to allow saltstack/admin to do what it likes > > (within reason) for nfs/* but keep it well away from anything more > > "important" (such as */admin). > > > > > > admcil nfs/@KRBTEST.COM, are you saying I should not be putting > > > > the wildcard asterisk after nfs/ ? > > > > > > The wildcard asterix was there in the mail I sent out (I checked my > > > outgoing mail), but was apparently mangled by a piece of email > > > software. > > > > Yes, you're right. Have read your original and indeed asterisk is > > there. > > > > Kerberos mailing list Kerberos@mit.edu > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
