Hi everyone,
Sorry for the spam if this list isn't the I should use to discuss about remctl
(http://www.eyrie.org/~eagle/software/remctl/).
At IN2P3 Computing Centre, we're starting to use remctl for everything that
requires privilege delegation (till now, this software seems perfect for what
we want).
Anyway, the more we use it, the more we believe its default ACL bundle ("file,
princ, deny, pcre, regex" from the EPEL version) is missing something related
to *groups*.
For instance, we'd like to be able to allow "Every member of team A" to execute
one command on a particular host.
This way, we could allow "all members of a particular physic experiment" to
release their AFS volumes for instance.
We were unable to find a simple way to do this with the current remctl ACL
methods, that's why we've submited a first patch
(https://github.com/rra/remctl/pull/1).
This patch introduces a new ACL method named "unxgrp" and is still not merged
in master.
It was an easy (and fast to write) answer to our problematic.
For now, the default EPEL remctl package comes with "remctl server local only"
ACL scheme (ACL that only involves local remctl server resources).
What we're trying to do here is to introduce ACL scheme (PTS or unxgrp) that
could use network based providers (and thus allow centralization and
factorization of ACLs).
As we were writing this peace of code we thought that at CC-IN2P3 we are using
OpenAFS.
AFS brings a PTS DB that could be used as a convenient way to distribute groups.
For instance with the PTS group above:
>>> % pts mem remctl:testgrp -expand
>>> Expanded Members of remctl:testgrp (id: -6556) are:
>>> user1
>>> user2
we could be able to use the following ACL in remctl configuration file:
>>> pts_group:remctl:testgrp
to allow user1 and user2 to execute a command.
Before any further development, we'd like to know if someone could be
interested in that feature ?
Does someone think that we absolutely shouldn't do that ?
If so we'll talk later of the implementation.
More important for us, we'd like to know what Russ Allbery thinks about that as
he is the main developper of remctl.
Thank you in advance for you answer.
Thanks all for your answers and comments.
Cheers
--
Remi Ferrand | Institut National de Physique Nucleaire
Tel. +33(0)4.78.93.08.80 | et de Physique des Particules
Fax. +33(0)4.72.69.41.70 | Centre de Calcul - http://cc.in2p3.fr/
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
