diff options
| author | Russ Allbery <rra@stanford.edu> | 2008-02-13 01:43:54 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2008-02-13 01:43:54 +0000 |
| commit | 48b1e8f46c35519cb83c332660e266f6392f65b6 (patch) | |
| tree | fccea81910349eb64259614c933518201306d34f /docs/design-acl | |
| parent | ab266a02f85fd711ca5b83c5dd6e6f302776b45b (diff) | |
Update the design documentation to reflect the current protocol and
implementation.
Diffstat (limited to 'docs/design-acl')
| -rw-r--r-- | docs/design-acl | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/docs/design-acl b/docs/design-acl index d2ddb32..dde3395 100644 --- a/docs/design-acl +++ b/docs/design-acl @@ -55,19 +55,27 @@ ACL Schemes The <identifier> is a fully-qualified Kerberos principal. Access is granted if the principal of the client matches <identifier>. - ldap-entitlement - - <identifier> is an entitlement. If the entitlement attribute of the - LDAP entry corresponding to the given principal contains the - entitlement specified in <identifier>, access is granted. - netdb <identifier> is the name of a system. Access is granted if the user is listed as an administrator, user, or admin team member of the host in NetDB (Stanford's system management database). + netdb-root + + This is almost identical to netdb except that the user must be in the + form of a root instance (<user>/root) and the "/root" portion is + stripped before checking the NetDB roles. + + ldap-entitlement + + (Not yet implemented.) <identifier> is an entitlement. If the + entitlement attribute of the LDAP entry corresponding to the given + principal contains the entitlement specified in <identifier>, access + is granted. + pts - <identifier> is the name of an AFS PTS group. Access is granted if - the principal of the user is a member of that AFS PTS group. + (Not yet implemented.) <identifier> is the name of an AFS PTS group. + Access is granted if the principal of the user is a member of that AFS + PTS group. |