[tac_plus] Re: Multiple groups, multiple ACL-s

Kiss Gabor (Bitman) kissg at ssg.ki.iif.hu
Fri Apr 2 14:00:54 UTC 2010


> New debug is attached, and you can also see steps in that file. Thanks and 
> Happy Easter as well.

Thanks.

Here is your present: I got it. :-)

Compare output of processes 22044 and 32152.
Both serve an authorization request:
name=karen cmdname=show

And they are very identical:
: cfg_get_cmd_node: name=karen cmdname=show rec=1
: cfg_get_cmd_node: recurse group=net-staff-all-r depth=1
: cfg_get_cmd_node: recurse group=net-staff-r depth=2
: cfg_get_cmd_node: found cmd show node N_svc_cmd

Program does not cares with ACL as I suspected but in both cases
it founds the restrictive "cmd = show {...}" section in
group net-staff-r.

Similarly both processes 11679 and 18484 accepted the same request
with modified config as I hoped.

I'm afraid your problem cannot be solved with the current
semantics of config file.
Maybe I could add this new feature but this would break
old, existing configs therefore I'd lost all of my chance
of my patch beeing incorporated in the mainstream code.
(John? Any comment? :-)

At least a new global option
(apply_acl = "cmd, user, before authorization" or so)
should be introduced to maintain backwards compatibility.

Regards

Gabor


More information about the tac_plus mailing list