On 04/05/2014 11:02 AM, Remi FERRAND wrote: > Hi everyone, > > Sorry for the spam if this list isn't the I should use to discuss about > remctl (http://www.eyrie.org/~eagle/software/remctl/). > > At IN2P3 Computing Centre, we're starting to use remctl for everything that > requires privilege delegation (till now, this software seems perfect for what > we want). > > Anyway, the more we use it, the more we believe its default ACL bundle > ("file, princ, deny, pcre, regex" from the EPEL version) is missing something > related to *groups*. > > For instance, we'd like to be able to allow "Every member of team A" to > execute one command on a particular host. > This way, we could allow "all members of a particular physic experiment" to > release their AFS volumes for instance. > > We were unable to find a simple way to do this with the current remctl ACL > methods, that's why we've submited a first patch > (https://github.com/rra/remctl/pull/1). > This patch introduces a new ACL method named "unxgrp" and is still not merged > in master. > It was an easy (and fast to write) answer to our problematic. > > For now, the default EPEL remctl package comes with "remctl server local > only" ACL scheme (ACL that only involves local remctl server resources). > What we're trying to do here is to introduce ACL scheme (PTS or unxgrp) that > could use network based providers (and thus allow centralization and > factorization of ACLs). > > > As we were writing this peace of code we thought that at CC-IN2P3 we are > using OpenAFS. > AFS brings a PTS DB that could be used as a convenient way to distribute > groups. > > For instance with the PTS group above: > >>>> % pts mem remctl:testgrp -expand >>>> Expanded Members of remctl:testgrp (id: -6556) are: >>>> user1 >>>> user2 > we could be able to use the following ACL in remctl configuration file: > >>>> pts_group:remctl:testgrp > to allow user1 and user2 to execute a command. > > > Before any further development, we'd like to know if someone could be > interested in that feature ? > Does someone think that we absolutely shouldn't do that ? > If so we'll talk later of the implementation. > > More important for us, we'd like to know what Russ Allbery thinks about that > as he is the main developper of remctl. > Thank you in advance for you answer. > > > Thanks all for your answers and comments. > > Cheers >
At our site, we made similar functionality by writing a script to generate a part of our remctl config based on the members of a PTS group. I look forward to being able to use this and removing one more script. Jason ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
