diff options
author | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 17:02:09 +0100 |
---|---|---|
committer | Daniel Silverstone <daniel.silverstone@codethink.co.uk> | 2012-09-07 17:02:09 +0100 |
commit | 57f53edd217b06031cfa003c620b553292ebd5e7 (patch) | |
tree | d1ed82e5aff8e771b37071911ca7ad32b24ba0d0 /gitano-admin/rules/aschecks.lace | |
parent | fb652434121c382fc622845ec714c2a14f2fde58 (diff) | |
download | trove-setup-57f53edd217b06031cfa003c620b553292ebd5e7.tar.gz |
Update ruleset
Diffstat (limited to 'gitano-admin/rules/aschecks.lace')
-rw-r--r-- | gitano-admin/rules/aschecks.lace | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace index 2fb2ae6..467e8a4 100644 --- a/gitano-admin/rules/aschecks.lace +++ b/gitano-admin/rules/aschecks.lace @@ -1,14 +1,29 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# # Rules for when we're running as another user. -# Only 'deny' things which are not allowed. -# If you 'allow' then it will allow the actual operation, not just -# fail to deny the fact that it's 'as' someone else. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. define as_is_admin as_group gitano-admin -# ct-admin members are permitted to run sshkey and whoami on behalf of others -define as_is_ct_admin as_group ct-admin -define as_ct_admin_ok allof as_is_ct_admin op_self +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin op_self -define as_is_ok anyof as_is_admin as_ct_admin_ok +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok +# Explicitly deny any impersonation operation which does not meet the above. deny "You may not run things as another user unless you are an admin" !as_is_ok |