diff options
author | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
---|---|---|
committer | Pedro Alvarez <pedro.alvarez@codethink.co.uk> | 2014-07-14 15:10:09 +0000 |
commit | 160fd3f2f1d372751836c0073bdc944df1cfbb91 (patch) | |
tree | d6b46ce1ec600400883e53b82e12b390fa73f262 /share/gitano/skel/gitano-admin/rules/aschecks.lace | |
parent | eafba37e2bfc3897e3e7f65f2ce087fbee358f43 (diff) | |
parent | d349c9a35d3d53ebfc9f26df373e84fa5986a1b6 (diff) | |
download | trove-setup-160fd3f2f1d372751836c0073bdc944df1cfbb91.tar.gz |
Merge branch 'baserock/pedroalvarez/trove-ansible3'
Reviewed-by: Richard Maw
Reviewed-by: Lars Wirzenius
Diffstat (limited to 'share/gitano/skel/gitano-admin/rules/aschecks.lace')
-rw-r--r-- | share/gitano/skel/gitano-admin/rules/aschecks.lace | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/share/gitano/skel/gitano-admin/rules/aschecks.lace b/share/gitano/skel/gitano-admin/rules/aschecks.lace new file mode 100644 index 0000000..fc76440 --- /dev/null +++ b/share/gitano/skel/gitano-admin/rules/aschecks.lace @@ -0,0 +1,30 @@ +# _____ +# |_ _| __ _____ _____ +# | || '__/ _ \ \ / / _ \ +# | || | | (_) \ V / __/ +# |_||_| \___/ \_/ \___| +# +# Copyright 2012 Codethink Limited +# +# Rules for when we're running as another user. + +# Only 'deny' things which are not allowed. If you 'allow' then it will allow +# the actual operation, not just fail to deny the fact that it's 'as' someone +# else. + +define as_is_admin as_group gitano-admin + +# trove-admin members are permitted to run sshkey and whoami on behalf +# of others in order to check users and grant access, providing the target +# user is not part of the gitano-admin group. + +define as_is_trove_admin as_group trove-admin +define as_trove_admin_ok allof as_is_trove_admin !is_admin op_self + +# You are permitted to do things 'as' others if and only if the caller is +# either a member of the administration group, or else meets the above +# requirements. +define as_is_ok anyof as_is_admin as_trove_admin_ok + +# Explicitly deny any impersonation operation which does not meet the above. +deny "You may not run things as another user unless you are an admin" !as_is_ok |