‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, January 13, 2020 4:19 PM, Greg Hudson <ghud...@mit.edu> wrote:
> On 1/13/20 3:44 AM, Laura Smith wrote: > > > Am aware of the list ordering requirement, and to that extent the ACL entry > > in question was quite deliberately placed at the top. > > kadmind will continue on if the operation's target doesn't match the > entry's target. So if you have a later entry for, say, "/admin ", > then the line "saltstack/admin ADMCIL nfs/" would serve to deny access > to nfs/ principals (because of the uppercase permission bits), butwould have > no effect on other target principals, or on operations with > no target like list_principals. > > The documentation could probably be clarified here; it talks about "the > first matching entry", but doesn't say what has to match. Aah, so are we saying I should try something like : saltstack/admin admcil nfs/* saltstack/admin ADMCIL * Bescially my end goal is to allow saltstack/admin to do what it likes (within reason) for nfs/* but keep it well away from anything more "important" (such as */admin). > > > admcil nfs/@KRBTEST.COM, are you saying I should not be putting the > > wildcard asterisk after nfs/ ? > > The wildcard asterix was there in the mail I sent out (I checked my > outgoing mail), but was apparently mangled by a piece of email software. Yes, you're right. Have read your original and indeed asterisk is there. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
