Initial ruleset and beginnings of gitano-admin overlay

author: Daniel Silverstone <daniel.silverstone@codethink.co.uk> 2012-09-07 14:29:43 +0100
committer: Daniel Silverstone <daniel.silverstone@codethink.co.uk> 2012-09-07 14:29:43 +0100
commit: fb652434121c382fc622845ec714c2a14f2fde58 (patch)
tree: 5454fa43967ebb883173057c5f45fb318b818824 /gitano-admin/rules/aschecks.lace
parent: 860ec2f6436ac7cba31969ab13f163c9fbe691d6 (diff)
download: trove-setup-fb652434121c382fc622845ec714c2a14f2fde58.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/gitano-admin/rules/aschecks.lace b/gitano-admin/rules/aschecks.lace
new file mode 100644
index 0000000..2fb2ae6
--- /dev/null
+++ b/gitano-admin/rules/aschecks.lace
@@ -0,0 +1,14 @@
+# Rules for when we're running as another user.
+# Only 'deny' things which are not allowed.
+# If you 'allow' then it will allow the actual operation, not just
+# fail to deny the fact that it's 'as' someone else.
+
+define as_is_admin as_group gitano-admin
+
+# ct-admin members are permitted to run sshkey and whoami on behalf of others
+define as_is_ct_admin as_group ct-admin
+define as_ct_admin_ok allof as_is_ct_admin op_self
+
+define as_is_ok anyof as_is_admin as_ct_admin_ok
+
+deny "You may not run things as another user unless you are an admin" !as_is_ok
author	Daniel Silverstone <daniel.silverstone@codethink.co.uk>	2012-09-07 14:29:43 +0100
committer	Daniel Silverstone <daniel.silverstone@codethink.co.uk>	2012-09-07 14:29:43 +0100
commit	fb652434121c382fc622845ec714c2a14f2fde58 (patch)
tree	5454fa43967ebb883173057c5f45fb318b818824 /gitano-admin/rules/aschecks.lace
parent	860ec2f6436ac7cba31969ab13f163c9fbe691d6 (diff)
download	trove-setup-fb652434121c382fc622845ec714c2a14f2fde58.tar.gz