[tac_plus] Re: tac_plus enhancement
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Mon Aug 13 06:59:00 UTC 2007
> > I think it would be useful if a user or group could be member
> > of multiple groups.
> How do you propose conflicts of attributes between groups be resolved?
This problem is like in object oriented languages: if more than
one parent class provides the same method which one is to be executed?
I made an arbitrary decision. I like PERL so I follow the PERL model:
I do a recursive, depth-first, left-to-right search till I found
the requested attribute.
However the primary goal of this enhancement is to allow fine grained
but simple configuration.
In the tipical case there are no conflicting attributes.
Properties should be organized into orthogonal groups, i.e. NAS location
and allowed commands:
acl = core_routers {
permit = ...
}
acl = local_switches {
permit = ...
}
group = red {
acl = core_routers
}
group = green {
acl = local_switches
}
group = show_ip {
cmd = show {
permit ^ip
}
}
group = telnet_private {
cmd = telnet {
permit ^192\.168\.
}
}
user = chico {
member green
member telnet_private
}
user = harpo {
member green
member show_ip
}
user zeppo {
member red
member telnet_private
}
Gabor
More information about the tac_plus
mailing list